| id: GO-2022-0422 |
| modules: |
| - module: github.com/ipld/go-codec-dagpb |
| versions: |
| - fixed: 1.3.1 |
| vulnerable_at: 1.3.0 |
| packages: |
| - package: github.com/ipld/go-codec-dagpb |
| symbols: |
| - DecodeBytes |
| derived_symbols: |
| - Decode |
| - Decoder |
| - Unmarshal |
| summary: Panic when decoding invalid blocks in github.com/ipld/go-codec-dagpb |
| description: The dag-pb codec can panic when decoding invalid blocks. |
| published: 2022-07-01T20:08:04Z |
| ghsas: |
| - GHSA-967g-cjx4-h7j6 |
| - GHSA-g3vv-g2j5-45f2 |
| references: |
| - fix: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57 |
| cve_metadata: |
| id: CVE-2022-2584 |
| cwe: 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer' |
| review_status: REVIEWED |