Vulnerability Report: GO-2024-2831
- CVE-2024-34360, GHSA-jcqq-g64v-gcm7
- Affects: github.com/spacemeshos/api/release/go, github.com/spacemeshos/go-spacemesh
- Published: May 14, 2024
- Modified: May 20, 2024
Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.
For detailed information about this vulnerability, visit https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7.
Affected Packages
-
PathVersionsSymbols
-
before v1.37.1all symbols
-
before v1.5.2-hotfix1
-
before v1.5.2-hotfix1
44 affected symbols
- CloseEventReporter
- EmitAtxPublished
- EmitBeacon
- EmitEligibilities
- EmitInitComplete
- EmitInitFailure
- EmitInitStart
- EmitInvalidPostProof
- EmitOwnMalfeasanceProof
- EmitPoetWaitProof
- EmitPoetWaitRound
- EmitPostComplete
- EmitPostFailure
- EmitPostServiceStarted
- EmitPostServiceStopped
- EmitPostStart
- EmitProposal
- InitializeReporter
- LayerUpdate.Field
- ReportAccountUpdate
- ReportError
- ReportLayerUpdate
- ReportMalfeasance
- ReportNewActivation
- ReportNewTx
- ReportNodeStatusUpdate
- ReportProposal
- ReportResult
- ReportRewardReceived
- ReportTxWithValidity
- SubcribeProposals
- Subscribe
- SubscribeAccount
- SubscribeActivations
- SubscribeErrors
- SubscribeLayers
- SubscribeMalfeasance
- SubscribeMatched
- SubscribeRewards
- SubscribeStatus
- SubscribeToLayers
- SubscribeTxs
- SubscribeUserEvents
- ToMalfeasancePB
-
before v1.5.2-hotfix1
-
before v1.5.2-hotfix1
24 affected symbols
- AtxProof.DecodeScale
- AtxProof.MarshalLogObject
- AtxProofMsg.DecodeScale
- AtxProofMsg.SignedBytes
- BallotProof.DecodeScale
- BallotProof.MarshalLogObject
- BallotProofMsg.DecodeScale
- BallotProofMsg.SignedBytes
- HareMetadata.DecodeScale
- HareMetadata.ToBytes
- HareProof.DecodeScale
- HareProof.MarshalLogObject
- HareProofMsg.DecodeScale
- HareProofMsg.SignedBytes
- InvalidPostIndexProof.DecodeScale
- InvalidPostIndexProof.EncodeScale
- MalfeasanceGossip.DecodeScale
- MalfeasanceGossip.EncodeScale
- MalfeasanceInfo
- MalfeasanceProof.DecodeScale
- MalfeasanceProof.EncodeScale
- MalfeasanceProof.MarshalLogObject
- Proof.DecodeScale
- Proof.EncodeScale
-
before v1.5.2-hotfix1
2 unexported affected symbols
- App.setupDBs
- App.verifyDB
-
before v1.5.2-hotfix1
Aliases
References
- https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
- https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
- https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
- https://spacemesh.io/blog/spacemesh-white-paper-1
- https://vuln.go.dev/ID/GO-2024-2831.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.