blob: 5dd9d1117ef9435a36d205b675bac7659dc338d9 [file] [log] [blame]
id: GO-2022-1098
modules:
- module: github.com/btcsuite/btcd
versions:
- fixed: 0.23.2
vulnerable_at: 0.23.1
packages:
- package: github.com/btcsuite/btcd/wire
symbols:
- MsgTx.BtcDecode
derived_symbols:
- MsgBlock.BtcDecode
- MsgBlock.Deserialize
- MsgBlock.DeserializeNoWitness
- MsgBlock.DeserializeTxLoc
- MsgTx.Deserialize
- MsgTx.DeserializeNoWitness
- ReadMessage
- ReadMessageN
- ReadMessageWithEncodingN
summary: Denial of service in message decoding in github.com/btcsuite/btcd
description: |-
Erroneous message decoding can cause denial of service.
Improper checking of maximum witness size during node message decoding prevented
nodes in Lightning Labs lnd (before 0.15.2-beta) to sync.
cves:
- CVE-2022-44797
ghsas:
- GHSA-2chg-86hq-7w38
credits:
- rsafier (Github user)
- Roasbeef (Github user)
references:
- advisory: https://github.com/advisories/GHSA-2chg-86hq-7w38
- report: https://github.com/lightningnetwork/lnd/issues/7002
- fix: https://github.com/btcsuite/btcd/pull/1896/commits/f523d4ccaa5f34a2f761f16a05f5d6e6665b1168
- web: https://github.com/btcsuite/btcd/releases/tag/v0.23.2
review_status: REVIEWED