logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-f2gr-7299-487h github.com/ipfs/go-ipfs

Package

Manager: go
Name: github.com/ipfs/go-ipfs
Vulnerable Version: >=0.5.0 <0.13.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

DOS and excessive memory usage when passing untrusted user input to to dag import ### Impact go-ipfs nodes crash when trying to import certain malformed CAR files due to an issue in the go-car dependency. This impacts nodes running `ipfs dag import` on untrusted user inputs, for example, pinning services with a car ingest endpoint. This include the corresponding [HTTP RPC API `v0/dag/import`](https://docs.ipfs.io/reference/http/api/#api-v0-dag-import) endpoint. An attacker controlling the car file passed in can also make the node allocate arbitrary sized buffers creating memory exhaustion attacks. ### Patches 0.13.1, 0.14 and later. #### Forks For those running on forked versions of go-ipfs, simply updating the version of `github.com/ipld/go-car/v2` you are using to >= v2.4.0 should resolve the issue. #### Libraries consumers Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-car. You can check if your Go module has a dependency on go-car by running a command such as `go mod graph | grep go-car` in your module root. Note: if you are using other libraries, some parts of go-car (`github.com/ipld/go-car/v2/index/...`) have not fully been fixed yet. Please see [go-car's security advisory](https://github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg) for more information. go-ipfs do not make use of this code. ### Workarounds The best way to work around this is to control exposure to the [HTTP RPC API endpoint for CAR imports](https://docs.ipfs.io/reference/http/api/#api-v0-dag-import) to only work with trusted data. You can also validate that the car will not crash go-ipfs by running `car verify` on it first (`go install github.com/ipld/go-car/cmd/car@latest`). ### References See also the [go-car security advisory](https://github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg). ### For more information If you have any questions or comments about this advisory: 1. Ask in the [IPFS Discourse](discuss.ipfs.io/) 1. Ask in the [IPFS Discord #ipld-chatter](https://discord.gg/ipfs) 1. Open an issue in [go-ipfs](https://github.com/ipfs/go-ipfs)

Metadata

Created: 2022-07-06T20:06:56Z
Modified: 2022-07-06T20:06:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-f2gr-7299-487h/GHSA-f2gr-7299-487h.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F067
Auto approve: 1