search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
560 stars 58 forks source link

x/vulndb: potential Go vuln in github.com/ipfs/go-unixfs: CVE-2023-23625 #1557

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

CVE-2023-23625 references github.com/ipfs/go-unixfs, which may be a Go module.

Description: go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

References:

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/ipfs/go-unixfs
    packages:
      - package: go-unixfs
description: |
    go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
cves:
  - CVE-2023-23625
references:
  - web: https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
  - fix: https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
gopherbot commented 1 year ago

Change https://go.dev/cl/468175 mentions this issue: data/reports: add GO-2023-1557.yaml