GO-2023-1559
- Source
- https://pkg.go.dev/vuln/GO-2023-1559
- Import Source
- https://vuln.go.dev/ID/GO-2023-1559.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2023-1559
- Aliases
- Published
- 2023-02-14T19:41:30Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Denial of service via HAMT decoding panic in github.com/ipfs/go-unixfsnode
- Details
-
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic.
This is caused by a bogus fanout parameter in the HAMT directory nodes.
There are no known workarounds (users are advised to upgrade).
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2023-1559", "review_status": "REVIEWED" }- References
- Credits
-
-
- Jorropo
-
Affected packages
Go / github.com/ipfs/go-unixfsnode
Package
- Name
- github.com/ipfs/go-unixfsnode
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ipfs/go-unixfsnode
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.5.2
Ecosystem specific
{
"imports": [
{
"symbols": [
"AttemptHAMTShardFromNode",
"NewUnixFSHAMTShard",
"NewUnixFSHAMTShardWithPreload",
"_UnixFSHAMTShard.Length",
"_UnixFSHAMTShard.Lookup",
"_UnixFSHAMTShard.LookupByNode",
"_UnixFSHAMTShard.LookupBySegment",
"_UnixFSHAMTShard.LookupByString",
"_UnixFSShardedDir__ListItr.Next",
"bitField"
],
"path": "github.com/ipfs/go-unixfsnode/hamt"
},
{
"symbols": [
"BlockSizes",
"BuildUnixFS",
"BuildUnixFSDirectory",
"BuildUnixFSFile",
"BuildUnixFSRecursive",
"BuildUnixFSShardedDirectory",
"BuildUnixFSSymlink",
"Data",
"DataType",
"Fanout",
"FileSize",
"FractionalNanoseconds",
"HashType",
"Mtime",
"Permissions",
"PermissionsString",
"Seconds",
"Time",
"shard.bitmap",
"shard.serialize"
],
"path": "github.com/ipfs/go-unixfsnode/data/builder"
}
]
}