logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-q3j6-22wf-3jh9 github.com/ipfs/go-bitswap

Package

Manager: go
Name: github.com/ipfs/go-bitswap
Vulnerable Version: >=0 <0.12.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

github.com/ipfs/go-bitswap vulnerable to DOS unbounded persistent memory leak This package has been moved to [`github.com/ipfs/boxo/bitswap`](https://pkg.go.dev/github.com/ipfs/boxo/bitswap), this vulnerability is tracked there: https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 (`CVE-2023-25568`) ### Remediation This is a two step process: 1. Apply one of: - (**recommended**) upgrade from `github.com/ipfs/go-bitswap` to `github.com/ipfs/boxo/bitswap`. - If you are still using `github.com/ipfs/go-bitswap` and cannot upgrade to `boxo`, you can upgrade to `github.com/ipfs/go-bitswap@v0.12.0`, this will replace the `go-bitswap` implementation by stubs which points to `boxo`. 2. Open https://github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5 and then follow `boxo`'s remediation section. ### Vulnerable symbols - `>= v0.9.0; < v0.12.0` - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).MessageReceived` - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).NotifyNewBlocks` - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).findOrCreate` - `github.com/ipfs/go-bitswap/server/internal/decision.(*Engine).PeerConnected` - `v0.8.0` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).NotifyNewBlocks` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected` - `< v0.8.0` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).MessageReceived` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).receiveBlocksFrom` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).findOrCreate` - `github.com/ipfs/go-bitswap/internal/decision.(*Engine).PeerConnected` ### Workarounds If you are using the stubs at `github.com/ipfs/go-bitswap` and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allows you to run in a client-only mode using: [`github.com/ipfs/go-bitswap/client`](https://pkg.go.dev/github.com/ipfs/go-bitswap/client).

Metadata

Created: 2023-05-11T20:39:55Z
Modified: 2023-05-11T20:39:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-q3j6-22wf-3jh9/GHSA-q3j6-22wf-3jh9.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: N/A
Finding: F067
Auto approve: 1