Vulnerability Report: GO-2024-3112
- GHSA-g5xx-c4hv-9ccc
- Affects: github.com/cometbft/cometbft
- Published: Sep 13, 2024
CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft
For detailed information about this vulnerability, visit https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc.
Affected Packages
-
PathGo VersionsCustom Versions*Symbols
-
from v0.37.0 before v0.37.11, from v0.38.0 before v0.38.12from 0.34.0 before 0.34.34
18 affected symbols
- Client.TrustedLightBlock
- Client.Update
- Client.VerifyHeader
- Client.VerifyLightBlockAtHeight
- ErrInvalidHeader.Error
- ErrNewValSetCantBeTrusted.Error
- ErrOldHeaderExpired.Error
- ErrVerificationFailed.Error
- NewClient
- NewClientFromTrustedStore
- NewHTTPClient
- NewHTTPClientFromTrustedStore
- TrustOptions.ValidateBasic
- ValidateTrustLevel
- Verify
- VerifyAdjacent
- VerifyBackwards
- VerifyNonAdjacent
-
from v0.37.0 before v0.37.11, from v0.38.0 before v0.38.12from 0.34.0 before 0.34.34
189 affected symbols
- ABCIParams.VoteExtensionsEnabled
- Block.Hash
- Block.HashesTo
- Block.MakePartSet
- Block.Size
- Block.String
- Block.StringIndented
- Block.StringShort
- Block.ToProto
- Block.ValidateBasic
- BlockFromProto
- BlockID.Key
- BlockID.String
- BlockID.ValidateBasic
- BlockIDFromProto
- BlockMeta.ValidateBasic
- BlockMetaFromProto
- BlockMetaFromTrustedProto
- CanonicalTime
- CanonicalizeBlockID
- CanonicalizeProposal
- CanonicalizeVote
- Commit.GetVote
- Commit.Hash
- Commit.StringIndented
- Commit.ToVoteSet
- Commit.ValidateBasic
- Commit.VoteSignBytes
- CommitFromProto
- CommitSig.BlockID
- CommitSig.FromProto
- CommitSig.String
- CommitSig.ValidateBasic
- ConsensusParams.ValidateBasic
- ConsensusParams.ValidateUpdate
- Data.StringIndented
- DuplicateVoteEvidence.Bytes
- DuplicateVoteEvidence.Hash
- DuplicateVoteEvidence.String
- DuplicateVoteEvidence.ValidateBasic
- DuplicateVoteEvidenceFromProto
- ErrEvidenceOverflow.Error
- ErrInvalidCommitHeight.Error
- ErrInvalidCommitSignatures.Error
- ErrInvalidEvidence.Error
- ErrNotEnoughVotingPowerSigned.Error
- ErrVoteConflictingVotes.Error
- ErrVoteExtensionInvalid.Error
- EventBus.OnStart
- EventBus.OnStop
- EventBus.PublishEventNewBlock
- EventBus.PublishEventNewBlockEvents
- EventBus.PublishEventTx
- EventQueryTxFor
- EvidenceData.ByteSize
- EvidenceData.FromProto
- EvidenceData.Hash
- EvidenceData.StringIndented
- EvidenceData.ToProto
- EvidenceFromProto
- EvidenceList.Has
- EvidenceList.Hash
- EvidenceList.String
- EvidenceToProto
- ExtendedCommit.EnsureExtensions
- ExtendedCommit.GetByIndex
- ExtendedCommit.GetExtendedVote
- ExtendedCommit.ToExtendedVoteSet
- ExtendedCommit.ValidateBasic
- ExtendedCommitFromProto
- ExtendedCommitSig.EnsureExtension
- ExtendedCommitSig.FromProto
- ExtendedCommitSig.String
- ExtendedCommitSig.ValidateBasic
- GenesisDoc.SaveAs
- GenesisDoc.ValidateAndComplete
- GenesisDoc.ValidatorHash
- GenesisDocFromFile
- GenesisDocFromJSON
- Header.Hash
- Header.StringIndented
- Header.ValidateBasic
- HeaderFromProto
- LightBlock.String
- LightBlock.StringIndented
- LightBlock.ToProto
- LightBlock.ValidateBasic
- LightBlockFromProto
- LightClientAttackEvidence.Bytes
- LightClientAttackEvidence.Hash
- LightClientAttackEvidence.String
- LightClientAttackEvidence.ToProto
- LightClientAttackEvidence.ValidateBasic
- LightClientAttackEvidenceFromProto
- MakeBlock
- MakeExtCommit
- MakeVote
- MakeVoteNoError
- MaxDataBytes
- MaxDataBytesNoEvidence
- MockPV.SignProposal
- MockPV.SignVote
- MockPV.String
- NewBlockMeta
- NewDuplicateVoteEvidence
- NewErroringMockPV
- NewMockDuplicateVoteEvidence
- NewMockDuplicateVoteEvidenceWithValidator
- NewMockPV
- NewValidatorSet
- Part.String
- Part.StringIndented
- Part.ValidateBasic
- PartFromProto
- PartSet.AddPart
- PartSet.MarshalJSON
- PartSet.StringShort
- PartSetHeader.String
- PartSetHeader.ValidateBasic
- PartSetHeaderFromProto
- Proposal.String
- Proposal.ValidateBasic
- ProposalFromProto
- ProposalSignBytes
- QueryForEvent
- RandValidator
- RandValidatorSet
- SignAndCheckVote
- SignedHeader.String
- SignedHeader.StringIndented
- SignedHeader.ValidateBasic
- SignedHeaderFromProto
- Tx.String
- TxProof.Validate
- TxProofFromProto
- Txs.Validate
- ValidateHash
- Validator.Bytes
- Validator.String
- Validator.ToProto
- Validator.ValidateBasic
- ValidatorFromProto
- ValidatorListString
- ValidatorSet.CopyIncrementProposerPriority
- ValidatorSet.GetProposer
- ValidatorSet.Hash
- ValidatorSet.IncrementProposerPriority
- ValidatorSet.Iterate
- ValidatorSet.String
- ValidatorSet.StringIndented
- ValidatorSet.ToProto
- ValidatorSet.TotalVotingPower
- ValidatorSet.UpdateWithChangeSet
- ValidatorSet.ValidateBasic
- ValidatorSet.VerifyCommit
- ValidatorSet.VerifyCommitLight
- ValidatorSet.VerifyCommitLightAllSignatures
- ValidatorSet.VerifyCommitLightTrusting
- ValidatorSet.VerifyCommitLightTrustingAllSignatures
- ValidatorSetFromExistingValidators
- ValidatorSetFromProto
- VerifyCommit
- VerifyCommitLight
- VerifyCommitLightAllSignatures
- VerifyCommitLightTrusting
- VerifyCommitLightTrustingAllSignatures
- Vote.CommitSig
- Vote.ExtendedCommitSig
- Vote.String
- Vote.ValidateBasic
- Vote.Verify
- Vote.VerifyExtension
- Vote.VerifyVoteAndExtension
- VoteExtensionSignBytes
- VoteFromProto
- VoteSet.AddVote
- VoteSet.BitArrayByBlockID
- VoteSet.BitArrayString
- VoteSet.HasAll
- VoteSet.HasTwoThirdsAny
- VoteSet.LogString
- VoteSet.MakeExtendedCommit
- VoteSet.MarshalJSON
- VoteSet.SetPeerMaj23
- VoteSet.String
- VoteSet.StringIndented
- VoteSet.StringShort
- VoteSet.VoteStrings
- VoteSignBytes
*Custom versions, which can't be mapped automatically to standard Go module versions, are ignored by govulncheck. (See this note on versions for more details.)
Aliases
References
- https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc
- https://github.com/cometbft/cometbft/commit/3937e00a339ee6b861d75997b4f6c87d867b74f2
- https://github.com/cometbft/cometbft/commit/52c00a537f8f56ed94b4a5c8af6e3fecff468b55
- https://vuln.go.dev/ID/GO-2024-3112.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.