Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nM3Z2LWcyajUtNDVmMs05dw
ipld/go-codec-dagpb panics when processing certain blocks
Impact
Decoding certain blocks using the go-ipld-prime version of the dag-pb codec (go-codec-dagpb) can cause a panic. The panic comes from an assumption that the reported link length is accurate, but if the block ends before that reported length then it’s a buffer overread.
Patches
The issue is fixed in v1.3.1 and above.
Consumers can discover the versions of go-codec-dagpb in a module's dependency graph using the following command in the module root:
go mod graph | grep go-codec-dagpb
Workarounds
You can work around this issue without upgrading by recovering panics higher in the call stack of the goroutine that calls the defective code.
For more information
If you have any questions or comments about this advisory:
- Ask in IPFS Discord #ipld-chatter
- Open an issue in go-codec-dagpb
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nM3Z2LWcyajUtNDVmMs05dw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-g3vv-g2j5-45f2
References:
- https://github.com/ipld/go-codec-dagpb/security/advisories/GHSA-g3vv-g2j5-45f2
- https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57
- https://pkg.go.dev/vuln/GO-2022-0422
- https://nvd.nist.gov/vuln/detail/CVE-2022-2584
- https://github.com/advisories/GHSA-g3vv-g2j5-45f2
Blast Radius: 21.2
Affected Packages
go:github.com/ipld/go-codec-dagpb
Dependent packages: 696Dependent repositories: 670
Downloads:
Affected Version Ranges: < 1.3.1
Fixed in: 1.3.1
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0
All unaffected versions: 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.6.0