data/reports: add GO-2024-2818.yaml Aliases: CVE-2024-34478, GHSA-3jgf-r68h-xfqm Fixes golang/vulndb#2818 Change-Id: I1b08e2634b0a76d57af8d4c4b067950c11226ad1 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584035 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>

commit: 14ea428de04d9ccf70f0618343e038fb1f775f7f [log] [tgz]
author: Tim King <taking@google.com> Tue May 07 22:25:20 2024 -0700
committer: Tim King <taking@google.com> Wed May 08 17:51:16 2024 +0000
tree: 502efdbd92086f83f3c1bfbfe519f654d66bedfa
parent: d62c8527c4f16b81d32a50a87c2bb54f7e8b89c5 [diff]
diff --git a/data/osv/GO-2024-2818.json b/data/osv/GO-2024-2818.json
new file mode 100644
index 0000000..c8da5e9
--- /dev/null
+++ b/data/osv/GO-2024-2818.json

@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2818",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-34478",
+    "GHSA-3jgf-r68h-xfqm"
+  ],
+  "summary": "Consensus failures in github.com/btcsuite/btcd",
+  "details": "Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/btcsuite/btcd",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.24.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/btcsuite/btcd/blockchain",
+            "symbols": [
+              "BlockChain.CalcSequenceLock",
+              "BlockChain.CheckConnectBlockTemplate",
+              "BlockChain.ProcessBlock",
+              "BlockChain.calcSequenceLock",
+              "ValidateTransactionScripts",
+              "txValidator.Validate"
+            ]
+          },
+          {
+            "path": "github.com/btcsuite/btcd/txscript",
+            "symbols": [
+              "Engine.Execute",
+              "Engine.Step",
+              "opcodeCheckSequenceVerify"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34478"
+    },
+    {
+      "type": "WEB",
+      "url": "https://delvingbitcoin.org/t/disclosure-btcd-consensus-bugs-due-to-usage-of-signed-transaction-version/455"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/blockchain/chain.go#L383C1-L392C3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/txscript/opcode.go#L1172C1-L1178C3"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/btcsuite/btcd/pull/1981"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Niklas Gögge"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2818"
+  }
+}
\ No newline at end of file

diff --git a/data/reports/GO-2024-2818.yaml b/data/reports/GO-2024-2818.yaml
new file mode 100644
index 0000000..0285047
--- /dev/null
+++ b/data/reports/GO-2024-2818.yaml

@@ -0,0 +1,43 @@
+id: GO-2024-2818
+modules:
+    - module: github.com/btcsuite/btcd
+      versions:
+        - fixed: 0.24.0
+      vulnerable_at: 0.23.4
+      packages:
+        - package: github.com/btcsuite/btcd/blockchain
+          symbols:
+            - BlockChain.calcSequenceLock
+          derived_symbols:
+            - BlockChain.CalcSequenceLock
+            - BlockChain.CheckConnectBlockTemplate
+            - BlockChain.ProcessBlock
+            - ValidateTransactionScripts
+            - txValidator.Validate
+        - package: github.com/btcsuite/btcd/txscript
+          symbols:
+            - opcodeCheckSequenceVerify
+          derived_symbols:
+            - Engine.Execute
+            - Engine.Step
+summary: Consensus failures in github.com/btcsuite/btcd
+description: |-
+    Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112
+    making btcd susceptible to consensus failures. Specifically, it uses the
+    transaction version as a signed integer when it is supposed to be treated as
+    unsigned. There can be a chain split and loss of funds.
+cves:
+    - CVE-2024-34478
+ghsas:
+    - GHSA-3jgf-r68h-xfqm
+credits:
+    - Niklas Gögge
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-34478
+    - web: https://delvingbitcoin.org/t/disclosure-btcd-consensus-bugs-due-to-usage-of-signed-transaction-version/455
+    - web: https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/blockchain/chain.go#L383C1-L392C3
+    - web: https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/txscript/opcode.go#L1172C1-L1178C3
+    - fix: https://github.com/btcsuite/btcd/pull/1981
+source:
+    id: GHSA-3jgf-r68h-xfqm
+    created: 2024-05-07T21:45:01.011365-07:00
commit	14ea428de04d9ccf70f0618343e038fb1f775f7f	[log] [tgz]
author	Tim King <taking@google.com>	Tue May 07 22:25:20 2024 -0700
committer	Tim King <taking@google.com>	Wed May 08 17:51:16 2024 +0000
tree	502efdbd92086f83f3c1bfbfe519f654d66bedfa
parent	d62c8527c4f16b81d32a50a87c2bb54f7e8b89c5 [diff]