GHSA-7fw6-6mfj-g3q2

Suggest an improvement
Source
https://github.com/advisories/GHSA-7fw6-6mfj-g3q2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-7fw6-6mfj-g3q2/GHSA-7fw6-6mfj-g3q2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7fw6-6mfj-g3q2
Published
2022-11-02T18:14:30Z
Modified
2022-11-02T18:14:30Z
Summary
ckb: Transaction header_deps validation issue (network forking)
Details

Impact

fn HeaderChecker#check_valid skipped main chain checking after this PR: https://github.com/nervosnetwork/ckb/pull/1646/files#diff-c4e017b67c1b3005ca0c446a9b0879571aa36a858b1f7ddd1b9328a884e3214bR171-R176

It will cause network forking if one transaction is using a forked block header which is not exists in local node's storage.

Patches

0.101.1 and later versions

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-02T18:14:30Z"
}
References

Affected packages

crates.io / ckb

Package

Name
ckb
View open source insights on deps.dev
Purl
pkg:cargo/ckb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.101.1

Database specific 

{
    "last_known_affected_version_range": "<= 0.101.0"
}