GHSA-7fw6-6mfj-g3q2: ckb: Transaction header_deps validation issue (network forking)

November 2, 2022

fn HeaderChecker#check_valid skipped main chain checking after this PR: https://github.com/nervosnetwork/ckb/pull/1646/files#diff-c4e017b67c1b3005ca0c446a9b0879571aa36a858b1f7ddd1b9328a884e3214bR171-R176

It will cause network forking if one transaction is using a forked block header which is not exists in local node’s storage.

References

github.com/advisories/GHSA-7fw6-6mfj-g3q2
github.com/nervosnetwork/ckb
github.com/nervosnetwork/ckb/pull/1646/files
github.com/nervosnetwork/ckb/security/advisories/GHSA-7fw6-6mfj-g3q2

Detect and mitigate GHSA-7fw6-6mfj-g3q2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →