GHSA-Q3J6-22WF-3JH9
Vulnerability from github – Published: 2023-05-11 20:39 – Updated: 2023-05-11 20:39This package has been moved to github.com/ipfs/boxo/bitswap, this vulnerability is tracked there: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 (CVE-2023-25568)
Remediation
This is a two step process:
1. Apply one of:
- (recommended) upgrade from github.com/ipfs/go-bitswap to github.com/ipfs/boxo/bitswap.
- If you are still using github.com/ipfs/go-bitswap and cannot upgrade to boxo, you can upgrade to github.com/ipfs/go-bitswap@v0.12.0, this will replace the go-bitswap implementation by stubs which points to boxo.
2. Open https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 and then follow boxo's remediation section.
Vulnerable symbols
>= v0.9.0; < v0.12.0github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnectedv0.8.0github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocksgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected< v0.8.0github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceivedgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFromgithub.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreategithub.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected
Workarounds
If you are using the stubs at github.com/ipfs/go-bitswap and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: github.com/ipfs/go-bitswap/client.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ipfs/go-bitswap"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-11T20:39:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "This package has been moved to [`github.com/ipfs/boxo/bitswap`](https://pkg.go.dev/github.com/ipfs/boxo/bitswap), this vulnerability is tracked there: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 (`CVE-2023-25568`)\n\n### Remediation\nThis is a two step process:\n1. Apply one of:\n - (**recommended**) upgrade from `github.com/ipfs/go-bitswap` to `github.com/ipfs/boxo/bitswap`.\n - If you are still using `github.com/ipfs/go-bitswap` and cannot upgrade to `boxo`, you can upgrade to `github.com/ipfs/go-bitswap@v0.12.0`, this will replace the `go-bitswap` implementation by stubs which points to `boxo`.\n2. Open https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 and then follow `boxo`\u0027s remediation section.\n\n### Vulnerable symbols\n- `\u003e= v0.9.0; \u003c v0.12.0`\n - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceived`\n - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocks`\n - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreate`\n - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected`\n- `v0.8.0`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocks`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected`\n- `\u003c v0.8.0`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFrom`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate`\n - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected`\n\n### Workarounds\nIf you are using the stubs at `github.com/ipfs/go-bitswap` and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: [`github.com/ipfs/go-bitswap/client`](https://pkg.go.dev/github.com/ipfs/go-bitswap/client).",
"id": "GHSA-q3j6-22wf-3jh9",
"modified": "2023-05-11T20:39:55Z",
"published": "2023-05-11T20:39:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/go-bitswap/security/advisories/GHSA-q3j6-22wf-3jh9"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25568"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
},
{
"type": "PACKAGE",
"url": "https://github.com/ipfs/go-bitswap"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "github.com/ipfs/go-bitswap vulnerable to DOS unbounded persistent memory leak"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.