search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 62 forks source link

x/vulndb: potential Go vuln in github.com/btcsuite/btcd: GHSA-27vh-h6mc-q6g8 #3189

Closed GoVulnBot closed 1 month ago

GoVulnBot commented 1 month ago

Advisory GHSA-27vh-h6mc-q6g8 references a vulnerability in the following Go modules:

Module
github.com/btcsuite/btcd

Description:

Impact

The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).

This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeB...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/btcsuite/btcd
      versions:
        - fixed: 0.24.2-beta.rc1
      non_go_versions:
        - introduced: 0.10.0
      vulnerable_at: 0.24.0
summary: |-
    btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()"
    functionality in github.com/btcsuite/btcd
cves:
    - CVE-2024-38365
ghsas:
    - GHSA-27vh-h6mc-q6g8
references:
    - advisory: https://github.com/advisories/GHSA-27vh-h6mc-q6g8
    - advisory: https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8
source:
    id: GHSA-27vh-h6mc-q6g8
    created: 2024-10-10T17:01:31.999553862Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/620355 mentions this issue: data/reports: add GO-2024-3189

gopherbot commented 1 month ago

Change https://go.dev/cl/620875 mentions this issue: data/reports: update GO-2024-3189