You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See doc/triage.md for instructions on how to triage this report.
package: https://github.com/ipfs/go-ipfs
versions:
- introduced: v0.5.0
fixed: v0.13.1
description: |-
### Impact
go-ipfs nodes crash when trying to import certain malformed CAR files due to an issue in the go-car dependency. This impacts nodes running `ipfs dag import` on untrusted user inputs, for example, pinning services with a car ingest endpoint.
This include the corresponding [HTTP RPC API `v0/dag/import`](https://docs.ipfs.io/reference/http/api/#api-v0-dag-import) endpoint.
An attacker controlling the car file passed in can also make the node allocate arbitrary sized buffers creating memory exhaustion attacks.
### Patches
0.13.1, 0.14 and later.
#### Forks
For those running on forked versions of go-ipfs, simply updating the version of `github.com/ipld/go-car/v2` you are using to >= v2.4.0 should resolve the issue.
#### Libraries consumers
Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-car.
You can check if your Go module has a dependency on go-car by running a command such as `go mod graph | grep go-car` in your module root.
Note: if you are using other libraries, some parts of go-car (`github.com/ipld/go-car/v2/index/...`) have not fully been fixed yet. Please see [go-car's security advisory](https://github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg) for more information. go-ipfs do not make use of this code.
### Workarounds
The best way to work around this is to control exposure to the [HTTP RPC API endpoint for CAR imports](https://docs.ipfs.io/reference/http/api/#api-v0-dag-import) to only work with trusted data.
You can also validate that the car will not crash go-ipfs by running `car verify` on it first (`go install github.com/ipld/go-car/cmd/car@latest`).
### References
See also the [go-car security advisory](https://github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg).
### For more information
If you have any questions or comments about this advisory:
1. Ask in the [IPFS Discourse](discuss.ipfs.io/)
1. Ask in the [IPFS Discord #ipld-chatter](https://discord.gg/ipfs)
1. Open an issue in [go-ipfs](https://github.com/ipfs/go-ipfs)
published: 2022-07-06T20:06:56Z
last_modified: 2022-07-06T20:06:56Z
ghsas:
- GHSA-f2gr-7299-487h
The text was updated successfully, but these errors were encountered:
In GitHub Security Advisory GHSA-f2gr-7299-487h, there is a vulnerability in the following Go packages or modules:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: