Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-q264-w97q-q778: Denial of service via HAMT Decoding Panics

Impact

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic.

This is caused by bogus fanout parameter in the HAMT directory nodes. This include checks returned in ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r, as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations).

Patches

  • https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175

Workarounds

Do not feed untrusted user data to the decoding functions.

References

  • https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r
ghsa
Open in Source
#vulnerability#dos#git

Package

gomod github.com/ipfs/go-unixfs (Go)

Affected versions

< 0.4.3

Patched versions

0.4.3

Description

Impact

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic.

This is caused by bogus fanout parameter in the HAMT directory nodes.
This include checks returned in ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r, as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations).

Patches

  • ipfs/go-unixfs@467d139

Workarounds

Do not feed untrusted user data to the decoding functions.

References

  • GHSA-2h6c-j3gf-xp9r

References

  • GHSA-q264-w97q-q778
  • https://nvd.nist.gov/vuln/detail/CVE-2023-23625
  • ipfs/go-unixfs@467d139

Last updated

Feb 10, 2023

Reviewed

Feb 10, 2023

Published to the GitHub Advisory Database

Feb 10, 2023

Published by the National Vulnerability Database

Feb 9, 2023

Jorropo published to ipfs/go-unixfs

Feb 9, 2023

Related news

CVE-2023-23625: DOS HAMT Decoding Panics

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation
ghsa