blob: fa4cefcb2aae863a7149770a1fac1313af931446 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-1559",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-23631",
"GHSA-4gj3-6r43-3wfc"
],
"summary": "Denial of service via HAMT decoding panic in github.com/ipfs/go-unixfsnode",
"details": "Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic.\n\nThis is caused by a bogus fanout parameter in the HAMT directory nodes.\n\nThere are no known workarounds (users are advised to upgrade).",
"affected": [
{
"package": {
"name": "github.com/ipfs/go-unixfsnode",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/ipfs/go-unixfsnode/hamt",
"symbols": [
"AttemptHAMTShardFromNode",
"NewUnixFSHAMTShard",
"NewUnixFSHAMTShardWithPreload",
"_UnixFSHAMTShard.Length",
"_UnixFSHAMTShard.Lookup",
"_UnixFSHAMTShard.LookupByNode",
"_UnixFSHAMTShard.LookupBySegment",
"_UnixFSHAMTShard.LookupByString",
"_UnixFSShardedDir__ListItr.Next",
"bitField"
]
},
{
"path": "github.com/ipfs/go-unixfsnode/data/builder",
"symbols": [
"BlockSizes",
"BuildUnixFS",
"BuildUnixFSDirectory",
"BuildUnixFSFile",
"BuildUnixFSRecursive",
"BuildUnixFSShardedDirectory",
"BuildUnixFSSymlink",
"Data",
"DataType",
"Fanout",
"FileSize",
"FractionalNanoseconds",
"HashType",
"Mtime",
"Permissions",
"PermissionsString",
"Seconds",
"Time",
"shard.bitmap",
"shard.serialize"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
},
{
"type": "FIX",
"url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
}
],
"credits": [
{
"name": "Jorropo"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1559"
}
}