GHSA-7225-M954-23V7

Vulnerability from github – Published: 2024-11-20 18:23 – Updated: 2024-11-22 20:48
VLAI
Summary
ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic
Details

Name: ASA-2024-010: Mismatched bit-length in sdk.Int and sdk.Dec can lead to panic Component: Cosmos SDK / Math Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2) Affected versions: cosmossdk.io/math package versions <= math/v1.3.0 Affected users: Chain Builders + Maintainers, Validators

Impact

The bit-length in sdk.Int and sdk.Dec are not aligned, which may present a possible panic condition when interacting with Dec types in an Int context. This issue was resolved by aligning the max size between the data types in the cosmossdk.io/math package.

This issue impacts consumers of the cosmossdk.io/math, which includes popular modules including IBC-Go and tokenfactory (permissionless). If your chain interacts with APIs in the cosmossdk.io/math package, or utilizes a module that consumes this library, it is advised to update to the latest version at the time of the patch release by updating your project's go.mod dependency for cosmossdk.io/math.

The patch can be applied without a hard-fork, and with a version bump in a chain's go.mod file like the following:

go.mod

- cosmossdk.io/math v1.3.0
+ cosmossdk.io/math v1.4.0

[!NOTE]
When on a lower version than cosmossdk.io/math v1.3.0, please do a coordinated upgrade before upgrading to >= 1.3.0

Patches

The new release of cosmossdk.io/math v1.4.0 resolves this issue. Chains that utilize the cosmossdk.io/math library or modules that utilize the cosmossdk.io/math library should update to avoid this condition.

Timeline

  • October 31, 2024, 6:55pm UTC: Issue reported to the Cosmos Bug Bounty program
  • October 31, 2024, 8:56pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
  • Nov 15, 2024, 2:12am PST: Core team completes patch for issue
  • Nov 19, 2024, 8:00am PST / 16:00 GMT: Pre-notification delivered
  • Nov 20, 2024, 8:00am PST / 16:00 GMT: Patch made available

This issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 31, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "cosmossdk.io/math"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T18:23:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Name: ASA-2024-010: Mismatched bit-length in `sdk.Int` and `sdk.Dec` can lead to panic \nComponent: Cosmos SDK / Math\nCriticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: `cosmossdk.io/math` package versions \u003c= `math/v1.3.0`\nAffected users: Chain Builders + Maintainers, Validators\n\n### Impact\n\nThe bit-length in `sdk.Int` and `sdk.Dec` are not aligned, which may present a possible panic condition when interacting with `Dec` types in an `Int` context. This issue was resolved by aligning the max size between the data types in the cosmossdk.io/math package.\n\nThis issue impacts consumers of the cosmossdk.io/math, which includes popular modules including IBC-Go and tokenfactory (permissionless). If your chain interacts with APIs in the cosmossdk.io/math package, or utilizes a module that consumes this library, it is advised to update to the latest version at the time of the patch release by updating your project\u0027s go.mod dependency for cosmossdk.io/math.\n\nThe patch can be applied without a hard-fork, and with a version bump in a chain\u0027s go.mod file like the following:\n\n#### `go.mod`\n\n```diff\n- cosmossdk.io/math v1.3.0\n+ cosmossdk.io/math v1.4.0\n```\n\n\u003e [!NOTE]  \n\u003e When on a lower version than cosmossdk.io/math v1.3.0, please do a coordinated upgrade before upgrading to \u003e= 1.3.0\n\n### Patches\n\nThe new release of `cosmossdk.io/math v1.4.0` resolves this issue.  Chains that utilize the cosmossdk.io/math library or modules that utilize the cosmossdk.io/math library should update to avoid this condition.\n\n### Timeline\n\n* October 31, 2024, 6:55pm UTC: Issue reported to the Cosmos Bug Bounty program\n* October 31, 2024, 8:56pm UTC: Issue triaged by Amulet on-call, and distributed to Core team\n* Nov 15, 2024, 2:12am PST: Core team completes patch for issue\n* Nov 19, 2024, 8:00am PST / 16:00 GMT: Pre-notification delivered\n* Nov 20, 2024, 8:00am PST / 16:00 GMT: Patch made available\n\n\nThis issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 31, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io).  For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.  \n\n",
  "id": "GHSA-7225-m954-23v7",
  "modified": "2024-11-22T20:48:48Z",
  "published": "2024-11-20T18:23:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-7225-m954-23v7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/commit/c6522a72a45c34897f9fc85d438c0b74d52f8862"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cosmos/cosmos-sdk"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…