go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add GO-2024-3112 

- data/reports/GO-2024-3112.yaml

Fixes golang/vulndb#3112

Change-Id: I8994a6237e57ed892704ca4841a1ad8ed28090e1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/613258
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
This commit is contained in:
Tatiana Bradley 2024-09-13 15:50:08 -04:00 коммит произвёл Gopher Robot
Родитель 5b8657f20c
Коммит 84dc493a29
2 изменённых файлов: 545 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

298
data/osv/GO-2024-3112.json Normal file
Просмотреть файл

@ -0,0 +1,298 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-3112",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"GHSA-g5xx-c4hv-9ccc"
],
"summary": "CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft",
"details": "CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft",
"affected": [
{
"package": {
"name": "github.com/cometbft/cometbft",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.37.0"
},
{
"fixed": "0.37.11"
},
{
"introduced": "0.38.0"
},
{
"fixed": "0.38.12"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/cometbft/cometbft/light",
"symbols": [
"Client.TrustedLightBlock",
"Client.Update",
"Client.VerifyHeader",
"Client.VerifyLightBlockAtHeight",
"Client.compareFirstHeaderWithWitnesses",
"Client.compareNewHeaderWithWitness",
"Client.detectDivergence",
"Client.findNewPrimary",
"Client.initializeWithTrustOptions",
"ErrInvalidHeader.Error",
"ErrNewValSetCantBeTrusted.Error",
"ErrOldHeaderExpired.Error",
"ErrVerificationFailed.Error",
"NewClient",
"NewClientFromTrustedStore",
"NewHTTPClient",
"NewHTTPClientFromTrustedStore",
"TrustOptions.ValidateBasic",
"ValidateTrustLevel",
"Verify",
"VerifyAdjacent",
"VerifyBackwards",
"VerifyNonAdjacent",
"errBadWitness.Error",
"errConflictingHeaders.Error"
]
},
{
"path": "github.com/cometbft/cometbft/types",
"symbols": [
"ABCIParams.VoteExtensionsEnabled",
"Block.Hash",
"Block.HashesTo",
"Block.MakePartSet",
"Block.Size",
"Block.String",
"Block.StringIndented",
"Block.StringShort",
"Block.ToProto",
"Block.ValidateBasic",
"BlockFromProto",
"BlockID.Key",
"BlockID.String",
"BlockID.ValidateBasic",
"BlockIDFromProto",
"BlockMeta.ValidateBasic",
"BlockMetaFromProto",
"BlockMetaFromTrustedProto",
"CanonicalTime",
"CanonicalizeBlockID",
"CanonicalizeProposal",
"CanonicalizeVote",
"Commit.GetVote",
"Commit.Hash",
"Commit.StringIndented",
"Commit.ToVoteSet",
"Commit.ValidateBasic",
"Commit.VoteSignBytes",
"CommitFromProto",
"CommitSig.BlockID",
"CommitSig.FromProto",
"CommitSig.String",
"CommitSig.ValidateBasic",
"ConsensusParams.ValidateBasic",
"ConsensusParams.ValidateUpdate",
"Data.StringIndented",
"DuplicateVoteEvidence.Bytes",
"DuplicateVoteEvidence.Hash",
"DuplicateVoteEvidence.String",
"DuplicateVoteEvidence.ValidateBasic",
"DuplicateVoteEvidenceFromProto",
"ErrEvidenceOverflow.Error",
"ErrInvalidCommitHeight.Error",
"ErrInvalidCommitSignatures.Error",
"ErrInvalidEvidence.Error",
"ErrNotEnoughVotingPowerSigned.Error",
"ErrVoteConflictingVotes.Error",
"ErrVoteExtensionInvalid.Error",
"EventBus.OnStart",
"EventBus.OnStop",
"EventBus.PublishEventNewBlock",
"EventBus.PublishEventNewBlockEvents",
"EventBus.PublishEventTx",
"EventQueryTxFor",
"EvidenceData.ByteSize",
"EvidenceData.FromProto",
"EvidenceData.Hash",
"EvidenceData.StringIndented",
"EvidenceData.ToProto",
"EvidenceFromProto",
"EvidenceList.Has",
"EvidenceList.Hash",
"EvidenceList.String",
"EvidenceToProto",
"ExtendedCommit.EnsureExtensions",
"ExtendedCommit.GetByIndex",
"ExtendedCommit.GetExtendedVote",
"ExtendedCommit.ToExtendedVoteSet",
"ExtendedCommit.ValidateBasic",
"ExtendedCommitFromProto",
"ExtendedCommitSig.EnsureExtension",
"ExtendedCommitSig.FromProto",
"ExtendedCommitSig.String",
"ExtendedCommitSig.ValidateBasic",
"GenesisDoc.SaveAs",
"GenesisDoc.ValidateAndComplete",
"GenesisDoc.ValidatorHash",
"GenesisDocFromFile",
"GenesisDocFromJSON",
"Header.Hash",
"Header.StringIndented",
"Header.ValidateBasic",
"HeaderFromProto",
"LightBlock.String",
"LightBlock.StringIndented",
"LightBlock.ToProto",
"LightBlock.ValidateBasic",
"LightBlockFromProto",
"LightClientAttackEvidence.Bytes",
"LightClientAttackEvidence.Hash",
"LightClientAttackEvidence.String",
"LightClientAttackEvidence.ToProto",
"LightClientAttackEvidence.ValidateBasic",
"LightClientAttackEvidenceFromProto",
"MakeBlock",
"MakeExtCommit",
"MakeVote",
"MakeVoteNoError",
"MaxDataBytes",
"MaxDataBytesNoEvidence",
"MockPV.SignProposal",
"MockPV.SignVote",
"MockPV.String",
"NewBlockMeta",
"NewDuplicateVoteEvidence",
"NewErroringMockPV",
"NewMockDuplicateVoteEvidence",
"NewMockDuplicateVoteEvidenceWithValidator",
"NewMockPV",
"NewValidatorSet",
"Part.String",
"Part.StringIndented",
"Part.ValidateBasic",
"PartFromProto",
"PartSet.AddPart",
"PartSet.MarshalJSON",
"PartSet.StringShort",
"PartSetHeader.String",
"PartSetHeader.ValidateBasic",
"PartSetHeaderFromProto",
"Proposal.String",
"Proposal.ValidateBasic",
"ProposalFromProto",
"ProposalSignBytes",
"QueryForEvent",
"RandValidator",
"RandValidatorSet",
"SignAndCheckVote",
"SignedHeader.String",
"SignedHeader.StringIndented",
"SignedHeader.ValidateBasic",
"SignedHeaderFromProto",
"Tx.String",
"TxProof.Validate",
"TxProofFromProto",
"Txs.Validate",
"ValidateHash",
"Validator.Bytes",
"Validator.String",
"Validator.ToProto",
"Validator.ValidateBasic",
"ValidatorFromProto",
"ValidatorListString",
"ValidatorSet.CopyIncrementProposerPriority",
"ValidatorSet.GetProposer",
"ValidatorSet.Hash",
"ValidatorSet.IncrementProposerPriority",
"ValidatorSet.Iterate",
"ValidatorSet.String",
"ValidatorSet.StringIndented",
"ValidatorSet.ToProto",
"ValidatorSet.TotalVotingPower",
"ValidatorSet.UpdateWithChangeSet",
"ValidatorSet.ValidateBasic",
"ValidatorSet.VerifyCommit",
"ValidatorSet.VerifyCommitLight",
"ValidatorSet.VerifyCommitLightAllSignatures",
"ValidatorSet.VerifyCommitLightTrusting",
"ValidatorSet.VerifyCommitLightTrustingAllSignatures",
"ValidatorSet.findProposer",
"ValidatorSetFromExistingValidators",
"ValidatorSetFromProto",
"VerifyCommit",
"VerifyCommitLight",
"VerifyCommitLightAllSignatures",
"VerifyCommitLightTrusting",
"VerifyCommitLightTrustingAllSignatures",
"Vote.CommitSig",
"Vote.ExtendedCommitSig",
"Vote.String",
"Vote.ValidateBasic",
"Vote.Verify",
"Vote.VerifyExtension",
"Vote.VerifyVoteAndExtension",
"VoteExtensionSignBytes",
"VoteFromProto",
"VoteSet.AddVote",
"VoteSet.BitArrayByBlockID",
"VoteSet.BitArrayString",
"VoteSet.HasAll",
"VoteSet.HasTwoThirdsAny",
"VoteSet.LogString",
"VoteSet.MakeExtendedCommit",
"VoteSet.MarshalJSON",
"VoteSet.SetPeerMaj23",
"VoteSet.String",
"VoteSet.StringIndented",
"VoteSet.StringShort",
"VoteSet.VoteStrings",
"VoteSignBytes"
]
}
],
"custom_ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.34.0"
},
{
"fixed": "0.34.34"
}
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc"
},
{
"type": "FIX",
"url": "https://github.com/cometbft/cometbft/commit/3937e00a339ee6b861d75997b4f6c87d867b74f2"
},
{
"type": "FIX",
"url": "https://github.com/cometbft/cometbft/commit/52c00a537f8f56ed94b4a5c8af6e3fecff468b55"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-3112",
"review_status": "REVIEWED"
}
}

247
data/reports/GO-2024-3112.yaml Normal file
Просмотреть файл

@ -0,0 +1,247 @@
id: GO-2024-3112
modules:
- module: github.com/cometbft/cometbft
versions:
- introduced: 0.37.0
- fixed: 0.37.11
- introduced: 0.38.0
- fixed: 0.38.12
non_go_versions:
- introduced: 0.34.0
- fixed: 0.34.34
vulnerable_at: 0.38.11
packages:
- package: github.com/cometbft/cometbft/light
symbols:
- Client.initializeWithTrustOptions
- Client.findNewPrimary
- Client.compareFirstHeaderWithWitnesses
- Client.detectDivergence
- Client.compareNewHeaderWithWitness
derived_symbols:
- Client.TrustedLightBlock
- Client.Update
- Client.VerifyHeader
- Client.VerifyLightBlockAtHeight
- ErrInvalidHeader.Error
- ErrNewValSetCantBeTrusted.Error
- ErrOldHeaderExpired.Error
- ErrVerificationFailed.Error
- NewClient
- NewClientFromTrustedStore
- NewHTTPClient
- NewHTTPClientFromTrustedStore
- TrustOptions.ValidateBasic
- ValidateTrustLevel
- Verify
- VerifyAdjacent
- VerifyBackwards
- VerifyNonAdjacent
- errBadWitness.Error
- errConflictingHeaders.Error
- package: github.com/cometbft/cometbft/types
symbols:
- ValidatorSet.ValidateBasic
- ValidatorSet.findProposer
derived_symbols:
- ABCIParams.VoteExtensionsEnabled
- Block.Hash
- Block.HashesTo
- Block.MakePartSet
- Block.Size
- Block.String
- Block.StringIndented
- Block.StringShort
- Block.ToProto
- Block.ValidateBasic
- BlockFromProto
- BlockID.Key
- BlockID.String
- BlockID.ValidateBasic
- BlockIDFromProto
- BlockMeta.ValidateBasic
- BlockMetaFromProto
- BlockMetaFromTrustedProto
- CanonicalTime
- CanonicalizeBlockID
- CanonicalizeProposal
- CanonicalizeVote
- Commit.GetVote
- Commit.Hash
- Commit.StringIndented
- Commit.ToVoteSet
- Commit.ValidateBasic
- Commit.VoteSignBytes
- CommitFromProto
- CommitSig.BlockID
- CommitSig.FromProto
- CommitSig.String
- CommitSig.ValidateBasic
- ConsensusParams.ValidateBasic
- ConsensusParams.ValidateUpdate
- Data.StringIndented
- DuplicateVoteEvidence.Bytes
- DuplicateVoteEvidence.Hash
- DuplicateVoteEvidence.String
- DuplicateVoteEvidence.ValidateBasic
- DuplicateVoteEvidenceFromProto
- ErrEvidenceOverflow.Error
- ErrInvalidCommitHeight.Error
- ErrInvalidCommitSignatures.Error
- ErrInvalidEvidence.Error
- ErrNotEnoughVotingPowerSigned.Error
- ErrVoteConflictingVotes.Error
- ErrVoteExtensionInvalid.Error
- EventBus.OnStart
- EventBus.OnStop
- EventBus.PublishEventNewBlock
- EventBus.PublishEventNewBlockEvents
- EventBus.PublishEventTx
- EventQueryTxFor
- EvidenceData.ByteSize
- EvidenceData.FromProto
- EvidenceData.Hash
- EvidenceData.StringIndented
- EvidenceData.ToProto
- EvidenceFromProto
- EvidenceList.Has
- EvidenceList.Hash
- EvidenceList.String
- EvidenceToProto
- ExtendedCommit.EnsureExtensions
- ExtendedCommit.GetByIndex
- ExtendedCommit.GetExtendedVote
- ExtendedCommit.ToExtendedVoteSet
- ExtendedCommit.ValidateBasic
- ExtendedCommitFromProto
- ExtendedCommitSig.EnsureExtension
- ExtendedCommitSig.FromProto
- ExtendedCommitSig.String
- ExtendedCommitSig.ValidateBasic
- GenesisDoc.SaveAs
- GenesisDoc.ValidateAndComplete
- GenesisDoc.ValidatorHash
- GenesisDocFromFile
- GenesisDocFromJSON
- Header.Hash
- Header.StringIndented
- Header.ValidateBasic
- HeaderFromProto
- LightBlock.String
- LightBlock.StringIndented
- LightBlock.ToProto
- LightBlock.ValidateBasic
- LightBlockFromProto
- LightClientAttackEvidence.Bytes
- LightClientAttackEvidence.Hash
- LightClientAttackEvidence.String
- LightClientAttackEvidence.ToProto
- LightClientAttackEvidence.ValidateBasic
- LightClientAttackEvidenceFromProto
- MakeBlock
- MakeExtCommit
- MakeVote
- MakeVoteNoError
- MaxDataBytes
- MaxDataBytesNoEvidence
- MockPV.SignProposal
- MockPV.SignVote
- MockPV.String
- NewBlockMeta
- NewDuplicateVoteEvidence
- NewErroringMockPV
- NewMockDuplicateVoteEvidence
- NewMockDuplicateVoteEvidenceWithValidator
- NewMockPV
- NewValidatorSet
- Part.String
- Part.StringIndented
- Part.ValidateBasic
- PartFromProto
- PartSet.AddPart
- PartSet.MarshalJSON
- PartSet.StringShort
- PartSetHeader.String
- PartSetHeader.ValidateBasic
- PartSetHeaderFromProto
- Proposal.String
- Proposal.ValidateBasic
- ProposalFromProto
- ProposalSignBytes
- QueryForEvent
- RandValidator
- RandValidatorSet
- SignAndCheckVote
- SignedHeader.String
- SignedHeader.StringIndented
- SignedHeader.ValidateBasic
- SignedHeaderFromProto
- Tx.String
- TxProof.Validate
- TxProofFromProto
- Txs.Validate
- ValidateHash
- Validator.Bytes
- Validator.String
- Validator.ToProto
- Validator.ValidateBasic
- ValidatorFromProto
- ValidatorListString
- ValidatorSet.CopyIncrementProposerPriority
- ValidatorSet.GetProposer
- ValidatorSet.Hash
- ValidatorSet.IncrementProposerPriority
- ValidatorSet.Iterate
- ValidatorSet.String
- ValidatorSet.StringIndented
- ValidatorSet.ToProto
- ValidatorSet.TotalVotingPower
- ValidatorSet.UpdateWithChangeSet
- ValidatorSet.VerifyCommit
- ValidatorSet.VerifyCommitLight
- ValidatorSet.VerifyCommitLightAllSignatures
- ValidatorSet.VerifyCommitLightTrusting
- ValidatorSet.VerifyCommitLightTrustingAllSignatures
- ValidatorSetFromExistingValidators
- ValidatorSetFromProto
- VerifyCommit
- VerifyCommitLight
- VerifyCommitLightAllSignatures
- VerifyCommitLightTrusting
- VerifyCommitLightTrustingAllSignatures
- Vote.CommitSig
- Vote.ExtendedCommitSig
- Vote.String
- Vote.ValidateBasic
- Vote.Verify
- Vote.VerifyExtension
- Vote.VerifyVoteAndExtension
- VoteExtensionSignBytes
- VoteFromProto
- VoteSet.AddVote
- VoteSet.BitArrayByBlockID
- VoteSet.BitArrayString
- VoteSet.HasAll
- VoteSet.HasTwoThirdsAny
- VoteSet.LogString
- VoteSet.MakeExtendedCommit
- VoteSet.MarshalJSON
- VoteSet.SetPeerMaj23
- VoteSet.String
- VoteSet.StringIndented
- VoteSet.StringShort
- VoteSet.VoteStrings
- VoteSignBytes
summary: |-
CometBFT's state syncing validator from malicious node may lead to a chain split
github.com/cometbft/cometbft
ghsas:
- GHSA-g5xx-c4hv-9ccc
references:
- advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc
- fix: https://github.com/cometbft/cometbft/commit/3937e00a339ee6b861d75997b4f6c87d867b74f2
- fix: https://github.com/cometbft/cometbft/commit/52c00a537f8f56ed94b4a5c8af6e3fecff468b55
source:
id: GHSA-g5xx-c4hv-9ccc
created: 2024-09-13T15:12:52.592831-04:00
review_status: REVIEWED