Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mMmdyLTcyOTktNDg3aM4AAtH1

DOS and excessive memory usage when passing untrusted user input to to dag import

Impact

go-ipfs nodes crash when trying to import certain malformed CAR files due to an issue in the go-car dependency. This impacts nodes running ipfs dag import on untrusted user inputs, for example, pinning services with a car ingest endpoint.
This include the corresponding HTTP RPC API v0/dag/import endpoint.

An attacker controlling the car file passed in can also make the node allocate arbitrary sized buffers creating memory exhaustion attacks.

Patches

0.13.1, 0.14 and later.

Forks

For those running on forked versions of go-ipfs, simply updating the version of github.com/ipld/go-car/v2 you are using to >= v2.4.0 should resolve the issue.

Libraries consumers

Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-car.

You can check if your Go module has a dependency on go-car by running a command such as go mod graph | grep go-car in your module root.

Note: if you are using other libraries, some parts of go-car (github.com/ipld/go-car/v2/index/...) have not fully been fixed yet. Please see go-car's security advisory for more information. go-ipfs do not make use of this code.

Workarounds

The best way to work around this is to control exposure to the HTTP RPC API endpoint for CAR imports to only work with trusted data.

You can also validate that the car will not crash go-ipfs by running car verify on it first (go install github.com/ipld/go-car/cmd/car@latest).

References

See also the go-car security advisory.

For more information

If you have any questions or comments about this advisory:

  1. Ask in the IPFS Discourse
  2. Ask in the IPFS Discord #ipld-chatter
  3. Open an issue in go-ipfs
Permalink: https://github.com/advisories/GHSA-f2gr-7299-487h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mMmdyLTcyOTktNDg3aM4AAtH1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago


Identifiers: GHSA-f2gr-7299-487h
References: Repository: https://github.com/ipfs/go-ipfs
Blast Radius: 0.0

Affected Packages

go:github.com/ipfs/go-ipfs
Dependent packages: 368
Dependent repositories: 475
Downloads:
Affected Version Ranges: >= 0.5.0, < 0.13.1
Fixed in: 0.13.1
All affected versions: 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0
All unaffected versions: 0.2.2, 0.2.3, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.14, 0.4.15, 0.4.16, 0.4.17, 0.4.18, 0.4.19, 0.4.20, 0.4.21, 0.4.22, 0.4.23, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0