Skip to content

Commit

Permalink
data/reports: add GO-2024-2831.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2024-34360, GHSA-jcqq-g64v-gcm7

Fixes #2831
Fixes #2832

Change-Id: I8465f4bed69cf20a8e291232ec23867aba5c6d8f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585075
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
  • Loading branch information
@timothy-king
timothy-king committed May 14, 2024
1 parent 32f3555 commit f1651ad
Show file tree
Hide file tree
Showing 2 changed files with 322 additions and 0 deletions.
193 changes: 193 additions & 0 deletions data/osv/GO-2024-2831.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2831",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-34360",
"GHSA-jcqq-g64v-gcm7"
],
"summary": "ATX protocol validation problem in github.com/spacemeshos/go-spacemesh",
"details": "Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.",
"affected": [
{
"package": {
"name": "github.com/spacemeshos/api/release/go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.37.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/spacemeshos/api/release/go/spacemesh/v1"
}
]
}
},
{
"package": {
"name": "github.com/spacemeshos/go-spacemesh",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2-hotfix1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/spacemeshos/go-spacemesh/activation",
"symbols": [
"Handler.HandleGossipAtx",
"Handler.SyntacticallyValidateDeps",
"Handler.processATX",
"Handler.storeAtx"
]
},
{
"path": "github.com/spacemeshos/go-spacemesh/events",
"symbols": [
"CloseEventReporter",
"EmitAtxPublished",
"EmitBeacon",
"EmitEligibilities",
"EmitInitComplete",
"EmitInitFailure",
"EmitInitStart",
"EmitInvalidPostProof",
"EmitOwnMalfeasanceProof",
"EmitPoetWaitProof",
"EmitPoetWaitRound",
"EmitPostComplete",
"EmitPostFailure",
"EmitPostServiceStarted",
"EmitPostServiceStopped",
"EmitPostStart",
"EmitProposal",
"InitializeReporter",
"LayerUpdate.Field",
"ReportAccountUpdate",
"ReportError",
"ReportLayerUpdate",
"ReportMalfeasance",
"ReportNewActivation",
"ReportNewTx",
"ReportNodeStatusUpdate",
"ReportProposal",
"ReportResult",
"ReportRewardReceived",
"ReportTxWithValidity",
"SubcribeProposals",
"Subscribe",
"SubscribeAccount",
"SubscribeActivations",
"SubscribeErrors",
"SubscribeLayers",
"SubscribeMalfeasance",
"SubscribeMatched",
"SubscribeRewards",
"SubscribeStatus",
"SubscribeToLayers",
"SubscribeTxs",
"SubscribeUserEvents",
"ToMalfeasancePB"
]
},
{
"path": "github.com/spacemeshos/go-spacemesh/malfeasance",
"symbols": [
"Handler.HandleSyncedMalfeasanceProof",
"Validate"
]
},
{
"path": "github.com/spacemeshos/go-spacemesh/malfeasance/wire",
"symbols": [
"AtxProof.DecodeScale",
"AtxProof.MarshalLogObject",
"AtxProofMsg.DecodeScale",
"AtxProofMsg.SignedBytes",
"BallotProof.DecodeScale",
"BallotProof.MarshalLogObject",
"BallotProofMsg.DecodeScale",
"BallotProofMsg.SignedBytes",
"HareMetadata.DecodeScale",
"HareMetadata.ToBytes",
"HareProof.DecodeScale",
"HareProof.MarshalLogObject",
"HareProofMsg.DecodeScale",
"HareProofMsg.SignedBytes",
"InvalidPostIndexProof.DecodeScale",
"InvalidPostIndexProof.EncodeScale",
"MalfeasanceGossip.DecodeScale",
"MalfeasanceGossip.EncodeScale",
"MalfeasanceInfo",
"MalfeasanceProof.DecodeScale",
"MalfeasanceProof.EncodeScale",
"MalfeasanceProof.MarshalLogObject",
"Proof.DecodeScale",
"Proof.EncodeScale"
]
},
{
"path": "github.com/spacemeshos/go-spacemesh/node",
"symbols": [
"App.setupDBs",
"App.verifyDB"
]
},
{
"path": "github.com/spacemeshos/go-spacemesh/sql/atxs",
"symbols": [
"Add",
"AddGettingNonce",
"IterateIDsByEpoch"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7"
},
{
"type": "FIX",
"url": "https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e"
},
{
"type": "FIX",
"url": "https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87"
},
{
"type": "WEB",
"url": "https://spacemesh.io/blog/spacemesh-white-paper-1"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2831"
}
}
129 changes: 129 additions & 0 deletions data/reports/GO-2024-2831.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
id: GO-2024-2831
modules:
- module: github.com/spacemeshos/api/release/go
versions:
- fixed: 1.37.1
vulnerable_at: 1.37.0
packages:
- package: github.com/spacemeshos/api/release/go/spacemesh/v1
- module: github.com/spacemeshos/go-spacemesh
versions:
- fixed: 1.5.2-hotfix1
vulnerable_at: 1.5.1
packages:
- package: github.com/spacemeshos/go-spacemesh/activation
symbols:
- Handler.HandleGossipAtx
- Handler.storeAtx
- Handler.SyntacticallyValidateDeps
- Handler.processATX
skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
- package: github.com/spacemeshos/go-spacemesh/events
symbols:
- ToMalfeasancePB
derived_symbols:
- CloseEventReporter
- EmitAtxPublished
- EmitBeacon
- EmitEligibilities
- EmitInitComplete
- EmitInitFailure
- EmitInitStart
- EmitInvalidPostProof
- EmitOwnMalfeasanceProof
- EmitPoetWaitProof
- EmitPoetWaitRound
- EmitPostComplete
- EmitPostFailure
- EmitPostServiceStarted
- EmitPostServiceStopped
- EmitPostStart
- EmitProposal
- InitializeReporter
- LayerUpdate.Field
- ReportAccountUpdate
- ReportError
- ReportLayerUpdate
- ReportMalfeasance
- ReportNewActivation
- ReportNewTx
- ReportNodeStatusUpdate
- ReportProposal
- ReportResult
- ReportRewardReceived
- ReportTxWithValidity
- SubcribeProposals
- Subscribe
- SubscribeAccount
- SubscribeActivations
- SubscribeErrors
- SubscribeLayers
- SubscribeMalfeasance
- SubscribeMatched
- SubscribeRewards
- SubscribeStatus
- SubscribeToLayers
- SubscribeTxs
- SubscribeUserEvents
- package: github.com/spacemeshos/go-spacemesh/malfeasance
symbols:
- Validate
- Handler.HandleSyncedMalfeasanceProof
skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
- package: github.com/spacemeshos/go-spacemesh/malfeasance/wire
symbols:
- MalfeasanceInfo
- MalfeasanceProof.MarshalLogObject
- Proof.DecodeScale
derived_symbols:
- AtxProof.DecodeScale
- AtxProof.MarshalLogObject
- AtxProofMsg.DecodeScale
- AtxProofMsg.SignedBytes
- BallotProof.DecodeScale
- BallotProof.MarshalLogObject
- BallotProofMsg.DecodeScale
- BallotProofMsg.SignedBytes
- HareMetadata.DecodeScale
- HareMetadata.ToBytes
- HareProof.DecodeScale
- HareProof.MarshalLogObject
- HareProofMsg.DecodeScale
- HareProofMsg.SignedBytes
- InvalidPostIndexProof.DecodeScale
- InvalidPostIndexProof.EncodeScale
- MalfeasanceGossip.DecodeScale
- MalfeasanceGossip.EncodeScale
- MalfeasanceProof.DecodeScale
- MalfeasanceProof.EncodeScale
- Proof.EncodeScale
- package: github.com/spacemeshos/go-spacemesh/node
symbols:
- App.setupDBs
- App.verifyDB
skip_fix: 'Nonstandard cgo library: github.com/spacemeshos/post@v0.12.6/internal/postrs/api.go'
- package: github.com/spacemeshos/go-spacemesh/sql/atxs
symbols:
- AddGettingNonce
- IterateIDsByEpoch
derived_symbols:
- Add
summary: ATX protocol validation problem in github.com/spacemeshos/go-spacemesh
description: |-
Nodes can publish ATXs which reference the incorrect previous ATX of
the Smesher that created the ATX. ATXs are expected to form a single chain from
the newest to the first ATX ever published by an identity. Allowing Smeshers to
reference an earlier (but not the latest) ATX as previous breaks this protocol
rule.
cves:
- CVE-2024-34360
ghsas:
- GHSA-jcqq-g64v-gcm7
references:
- advisory: https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
- fix: https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
- fix: https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
- web: https://spacemesh.io/blog/spacemesh-white-paper-1
source:
id: GHSA-jcqq-g64v-gcm7
created: 2024-05-11T21:02:32.457027-07:00

0 comments on commit f1651ad

Please sign in to comment.