x/vulndb: potential Go vuln in github.com/btcsuite/btcd: CVE-2022-44797, GHSA-2chg-86hq-7w38

[GoVulnBot]

CVE-2022-44797 references github.com/lightningnetwork/lnd, which may be a Go module.

Description:
btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-44797
• JSON: https://github.com/CVEProject/cvelist/tree/ed4e1a4f88fb21e9dbd2557616557b758b97243e/2022/44xxx/CVE-2022-44797.json
• web: [bug]: Fail to chain sync on testnet3 & mainnet errors relating to: script witness item is larger than the max allowed size lightningnetwork/lnd#7002
• web: https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta
• fix: wire: remove erroneous witness size check in wire parsing btcsuite/btcd#1896
• web: https://github.com/btcsuite/btcd/releases/tag/v0.23.2
• Imported by: https://pkg.go.dev/github.com/lightningnetwork/lnd?tab=importedby

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/lightningnetwork/lnd
    packages:
      - package: n/a
description: |
    btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking.
cves:
  - CVE-2022-44797
references:
  - web: https://github.com/lightningnetwork/lnd/issues/7002
  - web: https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta
  - fix: https://github.com/btcsuite/btcd/pull/1896
  - web: https://github.com/btcsuite/btcd/releases/tag/v0.23.2

[zpavlinovic]

This is an issue in btcd/wire, not lnd. lnd module uses btcd as a dependency, so the fix for lnd is just a dependency update.

Will treat this is an issue for github.com/btcsuite/btcd, but not lnd (which also looks like a binary.)

[gopherbot]

Change https://go.dev/cl/448536 mentions this issue: data/reports: add GO-2022-1098.yaml