GO-2023-1559

See a problem?
Source
https://pkg.go.dev/vuln/GO-2023-1559
Import Source
https://vuln.go.dev/ID/GO-2023-1559.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1559
Aliases
Published
2023-02-14T19:41:30Z
Modified
2024-05-20T16:03:47Z
Summary
Denial of service via HAMT decoding panic in github.com/ipfs/go-unixfsnode
Details

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic.

This is caused by a bogus fanout parameter in the HAMT directory nodes.

There are no known workarounds (users are advised to upgrade).

References
Credits
    • Jorropo

Affected packages

Go / github.com/ipfs/go-unixfsnode

Package

Name
github.com/ipfs/go-unixfsnode
View open source insights on deps.dev
Purl
pkg:golang/github.com/ipfs/go-unixfsnode

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/ipfs/go-unixfsnode/hamt",
            "symbols": [
                "AttemptHAMTShardFromNode",
                "NewUnixFSHAMTShard",
                "NewUnixFSHAMTShardWithPreload",
                "_UnixFSHAMTShard.Length",
                "_UnixFSHAMTShard.Lookup",
                "_UnixFSHAMTShard.LookupByNode",
                "_UnixFSHAMTShard.LookupBySegment",
                "_UnixFSHAMTShard.LookupByString",
                "_UnixFSShardedDir__ListItr.Next",
                "bitField"
            ]
        },
        {
            "path": "github.com/ipfs/go-unixfsnode/data/builder",
            "symbols": [
                "BlockSizes",
                "BuildUnixFS",
                "BuildUnixFSDirectory",
                "BuildUnixFSFile",
                "BuildUnixFSRecursive",
                "BuildUnixFSShardedDirectory",
                "BuildUnixFSSymlink",
                "Data",
                "DataType",
                "Fanout",
                "FileSize",
                "FractionalNanoseconds",
                "HashType",
                "Mtime",
                "Permissions",
                "PermissionsString",
                "Seconds",
                "Time",
                "shard.bitmap",
                "shard.serialize"
            ]
        }
    ]
}