data/reports/GO-2023-1559.yaml - vulndb - Git at Google

 modules:
   - module: github.com/ipfs/go-unixfsnode
     versions:
       - fixed: 1.5.2
     vulnerable_at: 1.5.1
     packages:
       - package: github.com/ipfs/go-unixfsnode/hamt
         symbols:
           - NewUnixFSHAMTShard
           - bitField
         derived_symbols:
           - AttemptHAMTShardFromNode
           - NewUnixFSHAMTShardWithPreload
           - _UnixFSHAMTShard.Length
           - _UnixFSHAMTShard.Lookup
           - _UnixFSHAMTShard.LookupByNode
           - _UnixFSHAMTShard.LookupBySegment
           - _UnixFSHAMTShard.LookupByString
           - _UnixFSShardedDir__ListItr.Next
       - package: github.com/ipfs/go-unixfsnode/data/builder
         symbols:
           - shard.bitmap
           - shard.serialize
         derived_symbols:
           - BlockSizes
           - BuildUnixFS
           - BuildUnixFSDirectory
           - BuildUnixFSFile
           - BuildUnixFSRecursive
           - BuildUnixFSShardedDirectory
           - BuildUnixFSSymlink
           - Data
           - DataType
           - Fanout
           - FileSize
           - FractionalNanoseconds
           - HashType
           - Mtime
           - Permissions
           - PermissionsString
           - Seconds
           - Time
 description: |
     Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
     If you are reading untrusted user input, an attacker can then trigger a panic.

     This is caused by a bogus fanout parameter in the HAMT directory nodes.

     There are no known workarounds (users are advised to upgrade).
 cves:
   - CVE-2023-23631
 ghsas:
   - GHSA-4gj3-6r43-3wfc
 credit: Jorropo
 references:
   - advisory: https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
   - fix: https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076
	modules:
	- module: github.com/ipfs/go-unixfsnode
	versions:
	- fixed: 1.5.2
	vulnerable_at: 1.5.1
	packages:
	- package: github.com/ipfs/go-unixfsnode/hamt
	symbols:
	- NewUnixFSHAMTShard
	- bitField
	derived_symbols:
	- AttemptHAMTShardFromNode
	- NewUnixFSHAMTShardWithPreload
	- _UnixFSHAMTShard.Length
	- _UnixFSHAMTShard.Lookup
	- _UnixFSHAMTShard.LookupByNode
	- _UnixFSHAMTShard.LookupBySegment
	- _UnixFSHAMTShard.LookupByString
	- _UnixFSShardedDir__ListItr.Next
	- package: github.com/ipfs/go-unixfsnode/data/builder
	symbols:
	- shard.bitmap
	- shard.serialize
	derived_symbols:
	- BlockSizes
	- BuildUnixFS
	- BuildUnixFSDirectory
	- BuildUnixFSFile
	- BuildUnixFSRecursive
	- BuildUnixFSShardedDirectory
	- BuildUnixFSSymlink
	- Data
	- DataType
	- Fanout
	- FileSize
	- FractionalNanoseconds
	- HashType
	- Mtime
	- Permissions
	- PermissionsString
	- Seconds
	- Time
	description: \|
	Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
	If you are reading untrusted user input, an attacker can then trigger a panic.

	This is caused by a bogus fanout parameter in the HAMT directory nodes.

	There are no known workarounds (users are advised to upgrade).
	cves:
	- CVE-2023-23631
	ghsas:
	- GHSA-4gj3-6r43-3wfc
	credit: Jorropo
	references:
	- advisory: https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
	- fix: https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076