data/reports/GO-2024-2831.yaml - vulndb - Git at Google

 id: GO-2024-2831
 modules:
     - module: github.com/spacemeshos/api/release/go
       versions:
         - fixed: 1.37.1
       vulnerable_at: 1.37.0
       packages:
         - package: github.com/spacemeshos/api/release/go/spacemesh/v1
     - module: github.com/spacemeshos/go-spacemesh
       versions:
         - fixed: 1.5.2-hotfix1
       vulnerable_at: 1.5.1
       packages:
         - package: github.com/spacemeshos/go-spacemesh/activation
           symbols:
             - Handler.HandleGossipAtx
             - Handler.storeAtx
             - Handler.SyntacticallyValidateDeps
             - Handler.processATX
           skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
         - package: github.com/spacemeshos/go-spacemesh/events
           symbols:
             - ToMalfeasancePB
           derived_symbols:
             - CloseEventReporter
             - EmitAtxPublished
             - EmitBeacon
             - EmitEligibilities
             - EmitInitComplete
             - EmitInitFailure
             - EmitInitStart
             - EmitInvalidPostProof
             - EmitOwnMalfeasanceProof
             - EmitPoetWaitProof
             - EmitPoetWaitRound
             - EmitPostComplete
             - EmitPostFailure
             - EmitPostServiceStarted
             - EmitPostServiceStopped
             - EmitPostStart
             - EmitProposal
             - InitializeReporter
             - LayerUpdate.Field
             - ReportAccountUpdate
             - ReportError
             - ReportLayerUpdate
             - ReportMalfeasance
             - ReportNewActivation
             - ReportNewTx
             - ReportNodeStatusUpdate
             - ReportProposal
             - ReportResult
             - ReportRewardReceived
             - ReportTxWithValidity
             - SubcribeProposals
             - Subscribe
             - SubscribeAccount
             - SubscribeActivations
             - SubscribeErrors
             - SubscribeLayers
             - SubscribeMalfeasance
             - SubscribeMatched
             - SubscribeRewards
             - SubscribeStatus
             - SubscribeToLayers
             - SubscribeTxs
             - SubscribeUserEvents
         - package: github.com/spacemeshos/go-spacemesh/malfeasance
           symbols:
             - Validate
             - Handler.HandleSyncedMalfeasanceProof
           skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
         - package: github.com/spacemeshos/go-spacemesh/malfeasance/wire
           symbols:
             - MalfeasanceInfo
             - MalfeasanceProof.MarshalLogObject
             - Proof.DecodeScale
           derived_symbols:
             - AtxProof.DecodeScale
             - AtxProof.MarshalLogObject
             - AtxProofMsg.DecodeScale
             - AtxProofMsg.SignedBytes
             - BallotProof.DecodeScale
             - BallotProof.MarshalLogObject
             - BallotProofMsg.DecodeScale
             - BallotProofMsg.SignedBytes
             - HareMetadata.DecodeScale
             - HareMetadata.ToBytes
             - HareProof.DecodeScale
             - HareProof.MarshalLogObject
             - HareProofMsg.DecodeScale
             - HareProofMsg.SignedBytes
             - InvalidPostIndexProof.DecodeScale
             - InvalidPostIndexProof.EncodeScale
             - MalfeasanceGossip.DecodeScale
             - MalfeasanceGossip.EncodeScale
             - MalfeasanceProof.DecodeScale
             - MalfeasanceProof.EncodeScale
             - Proof.EncodeScale
         - package: github.com/spacemeshos/go-spacemesh/node
           symbols:
             - App.setupDBs
             - App.verifyDB
           skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
         - package: github.com/spacemeshos/go-spacemesh/sql/atxs
           symbols:
             - AddGettingNonce
             - IterateIDsByEpoch
           derived_symbols:
             - Add
 summary: ATX protocol validation problem in github.com/spacemeshos/go-spacemesh
 description: |-
     Nodes can publish ATXs which reference the incorrect previous ATX of
     the Smesher that created the ATX. ATXs are expected to form a single chain from
     the newest to the first ATX ever published by an identity. Allowing Smeshers to
     reference an earlier (but not the latest) ATX as previous breaks this protocol
     rule.
 cves:
     - CVE-2024-34360
 ghsas:
     - GHSA-jcqq-g64v-gcm7
 references:
     - advisory: https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
     - fix: https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
     - fix: https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
     - web: https://spacemesh.io/blog/spacemesh-white-paper-1
 source:
     id: GHSA-jcqq-g64v-gcm7
     created: 2024-05-11T21:02:32.457027-07:00
 review_status: REVIEWED
	id: GO-2024-2831
	modules:
	- module: github.com/spacemeshos/api/release/go
	versions:
	- fixed: 1.37.1
	vulnerable_at: 1.37.0
	packages:
	- package: github.com/spacemeshos/api/release/go/spacemesh/v1
	- module: github.com/spacemeshos/go-spacemesh
	versions:
	- fixed: 1.5.2-hotfix1
	vulnerable_at: 1.5.1
	packages:
	- package: github.com/spacemeshos/go-spacemesh/activation
	symbols:
	- Handler.HandleGossipAtx
	- Handler.storeAtx
	- Handler.SyntacticallyValidateDeps
	- Handler.processATX
	skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
	- package: github.com/spacemeshos/go-spacemesh/events
	symbols:
	- ToMalfeasancePB
	derived_symbols:
	- CloseEventReporter
	- EmitAtxPublished
	- EmitBeacon
	- EmitEligibilities
	- EmitInitComplete
	- EmitInitFailure
	- EmitInitStart
	- EmitInvalidPostProof
	- EmitOwnMalfeasanceProof
	- EmitPoetWaitProof
	- EmitPoetWaitRound
	- EmitPostComplete
	- EmitPostFailure
	- EmitPostServiceStarted
	- EmitPostServiceStopped
	- EmitPostStart
	- EmitProposal
	- InitializeReporter
	- LayerUpdate.Field
	- ReportAccountUpdate
	- ReportError
	- ReportLayerUpdate
	- ReportMalfeasance
	- ReportNewActivation
	- ReportNewTx
	- ReportNodeStatusUpdate
	- ReportProposal
	- ReportResult
	- ReportRewardReceived
	- ReportTxWithValidity
	- SubcribeProposals
	- Subscribe
	- SubscribeAccount
	- SubscribeActivations
	- SubscribeErrors
	- SubscribeLayers
	- SubscribeMalfeasance
	- SubscribeMatched
	- SubscribeRewards
	- SubscribeStatus
	- SubscribeToLayers
	- SubscribeTxs
	- SubscribeUserEvents
	- package: github.com/spacemeshos/go-spacemesh/malfeasance
	symbols:
	- Validate
	- Handler.HandleSyncedMalfeasanceProof
	skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
	- package: github.com/spacemeshos/go-spacemesh/malfeasance/wire
	symbols:
	- MalfeasanceInfo
	- MalfeasanceProof.MarshalLogObject
	- Proof.DecodeScale
	derived_symbols:
	- AtxProof.DecodeScale
	- AtxProof.MarshalLogObject
	- AtxProofMsg.DecodeScale
	- AtxProofMsg.SignedBytes
	- BallotProof.DecodeScale
	- BallotProof.MarshalLogObject
	- BallotProofMsg.DecodeScale
	- BallotProofMsg.SignedBytes
	- HareMetadata.DecodeScale
	- HareMetadata.ToBytes
	- HareProof.DecodeScale
	- HareProof.MarshalLogObject
	- HareProofMsg.DecodeScale
	- HareProofMsg.SignedBytes
	- InvalidPostIndexProof.DecodeScale
	- InvalidPostIndexProof.EncodeScale
	- MalfeasanceGossip.DecodeScale
	- MalfeasanceGossip.EncodeScale
	- MalfeasanceProof.DecodeScale
	- MalfeasanceProof.EncodeScale
	- Proof.EncodeScale
	- package: github.com/spacemeshos/go-spacemesh/node
	symbols:
	- App.setupDBs
	- App.verifyDB
	skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
	- package: github.com/spacemeshos/go-spacemesh/sql/atxs
	symbols:
	- AddGettingNonce
	- IterateIDsByEpoch
	derived_symbols:
	- Add
	summary: ATX protocol validation problem in github.com/spacemeshos/go-spacemesh
	description: \|-
	Nodes can publish ATXs which reference the incorrect previous ATX of
	the Smesher that created the ATX. ATXs are expected to form a single chain from
	the newest to the first ATX ever published by an identity. Allowing Smeshers to
	reference an earlier (but not the latest) ATX as previous breaks this protocol
	rule.
	cves:
	- CVE-2024-34360
	ghsas:
	- GHSA-jcqq-g64v-gcm7
	references:
	- advisory: https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
	- fix: https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
	- fix: https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
	- web: https://spacemesh.io/blog/spacemesh-white-paper-1
	source:
	id: GHSA-jcqq-g64v-gcm7
	created: 2024-05-11T21:02:32.457027-07:00
	review_status: REVIEWED