blob: 184adf2364433a0802d387d9c8dd559fdc320fb3 [file] [log] [blame]
id: GO-2024-2831
modules:
- module: github.com/spacemeshos/api/release/go
versions:
- fixed: 1.37.1
vulnerable_at: 1.37.0
packages:
- package: github.com/spacemeshos/api/release/go/spacemesh/v1
- module: github.com/spacemeshos/go-spacemesh
versions:
- fixed: 1.5.2-hotfix1
vulnerable_at: 1.5.1
packages:
- package: github.com/spacemeshos/go-spacemesh/activation
symbols:
- Handler.HandleGossipAtx
- Handler.storeAtx
- Handler.SyntacticallyValidateDeps
- Handler.processATX
skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
- package: github.com/spacemeshos/go-spacemesh/events
symbols:
- ToMalfeasancePB
derived_symbols:
- CloseEventReporter
- EmitAtxPublished
- EmitBeacon
- EmitEligibilities
- EmitInitComplete
- EmitInitFailure
- EmitInitStart
- EmitInvalidPostProof
- EmitOwnMalfeasanceProof
- EmitPoetWaitProof
- EmitPoetWaitRound
- EmitPostComplete
- EmitPostFailure
- EmitPostServiceStarted
- EmitPostServiceStopped
- EmitPostStart
- EmitProposal
- InitializeReporter
- LayerUpdate.Field
- ReportAccountUpdate
- ReportError
- ReportLayerUpdate
- ReportMalfeasance
- ReportNewActivation
- ReportNewTx
- ReportNodeStatusUpdate
- ReportProposal
- ReportResult
- ReportRewardReceived
- ReportTxWithValidity
- SubcribeProposals
- Subscribe
- SubscribeAccount
- SubscribeActivations
- SubscribeErrors
- SubscribeLayers
- SubscribeMalfeasance
- SubscribeMatched
- SubscribeRewards
- SubscribeStatus
- SubscribeToLayers
- SubscribeTxs
- SubscribeUserEvents
- package: github.com/spacemeshos/go-spacemesh/malfeasance
symbols:
- Validate
- Handler.HandleSyncedMalfeasanceProof
skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
- package: github.com/spacemeshos/go-spacemesh/malfeasance/wire
symbols:
- MalfeasanceInfo
- MalfeasanceProof.MarshalLogObject
- Proof.DecodeScale
derived_symbols:
- AtxProof.DecodeScale
- AtxProof.MarshalLogObject
- AtxProofMsg.DecodeScale
- AtxProofMsg.SignedBytes
- BallotProof.DecodeScale
- BallotProof.MarshalLogObject
- BallotProofMsg.DecodeScale
- BallotProofMsg.SignedBytes
- HareMetadata.DecodeScale
- HareMetadata.ToBytes
- HareProof.DecodeScale
- HareProof.MarshalLogObject
- HareProofMsg.DecodeScale
- HareProofMsg.SignedBytes
- InvalidPostIndexProof.DecodeScale
- InvalidPostIndexProof.EncodeScale
- MalfeasanceGossip.DecodeScale
- MalfeasanceGossip.EncodeScale
- MalfeasanceProof.DecodeScale
- MalfeasanceProof.EncodeScale
- Proof.EncodeScale
- package: github.com/spacemeshos/go-spacemesh/node
symbols:
- App.setupDBs
- App.verifyDB
skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
- package: github.com/spacemeshos/go-spacemesh/sql/atxs
symbols:
- AddGettingNonce
- IterateIDsByEpoch
derived_symbols:
- Add
summary: ATX protocol validation problem in github.com/spacemeshos/go-spacemesh
description: |-
Nodes can publish ATXs which reference the incorrect previous ATX of
the Smesher that created the ATX. ATXs are expected to form a single chain from
the newest to the first ATX ever published by an identity. Allowing Smeshers to
reference an earlier (but not the latest) ATX as previous breaks this protocol
rule.
cves:
- CVE-2024-34360
ghsas:
- GHSA-jcqq-g64v-gcm7
references:
- advisory: https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
- fix: https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
- fix: https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
- web: https://spacemesh.io/blog/spacemesh-white-paper-1
source:
id: GHSA-jcqq-g64v-gcm7
created: 2024-05-11T21:02:32.457027-07:00
review_status: REVIEWED