blob: e18dba77b978f9225aedca8a2f9ca368848ed009 [file] [log] [blame]
id: GO-2022-1155
modules:
- module: github.com/ipfs/go-merkledag
versions:
- introduced: 0.4.0
- fixed: 0.8.1
vulnerable_at: 0.7.0
packages:
- package: github.com/ipfs/go-merkledag
symbols:
- ProtoNode.SetCidBuilder
- ProtoNode.marshalImmutable
- ProtoNode.AddRawLink
- ProtoNode.UnmarshalJSON
- ProtoNode.Cid
- ProtoNode.RawData
- ProtoNode.Multihash
- ProtoNode.SetLinks
derived_symbols:
- ProtoNode.AddNodeLink
- ProtoNode.AsBool
- ProtoNode.AsBytes
- ProtoNode.AsFloat
- ProtoNode.AsInt
- ProtoNode.AsLink
- ProtoNode.AsString
- ProtoNode.EncodeProtobuf
- ProtoNode.IsAbsent
- ProtoNode.IsNull
- ProtoNode.Kind
- ProtoNode.Length
- ProtoNode.ListIterator
- ProtoNode.Loggable
- ProtoNode.LookupByIndex
- ProtoNode.LookupByNode
- ProtoNode.LookupBySegment
- ProtoNode.LookupByString
- ProtoNode.MapIterator
- ProtoNode.Marshal
- ProtoNode.Size
- ProtoNode.Stat
- ProtoNode.String
- ProtoNode.UpdateNodeLink
summary: Panic in github.com/ipfs/go-merkledag
description: |-
A ProtoNode may be modified in such a way as to cause various encode errors
which will trigger a panic on common method calls that don't allow for error
returns.
Additionally, use of the ProtoNode.SetCidBuilder() method to set non-functioning
CidBuilder (such as one that refers to a multihash where an implementation of
that hash function is not available) may cause the same methods to panic as a
new CID is required but cannot be created.
cves:
- CVE-2022-23495
ghsas:
- GHSA-x39j-h85h-3f46
credits:
- '@mrd0ll4r (https://github.com/mrd0ll4r)'
references:
- advisory: https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46
- report: https://github.com/ipfs/kubo/issues/9297
- report: https://github.com/ipfs/go-merkledag/issues/90
- fix: https://github.com/ipfs/go-merkledag/pull/91
- fix: https://github.com/ipfs/go-merkledag/pull/92
- fix: https://github.com/ipfs/go-merkledag/pull/93
review_status: REVIEWED