Advisories for Golang/Github.com/Ipld/Go-Car package

2022

Malformed CAR panics and excessive memory usage

Out of bound memory access (OOB), out of memory (OOM) panics or excessive memory usage can be triggered by decode of malformed CARv1 headers, malformed CARv1 sections, and malformed CIDv0 data used in CARv1 sections. This also applies to CARv1 data within a CARv2 container. Additionally, we wish to use this security advisory to make clear to consumers of CARv2 format data that loading CARv2 indexes from untrusted sources is …

Malformed CAR panics and excessive memory usage

Impact Versions impacted <= go-car@v0.3.3 <= go-car@v2.3.0 Description Decoding CAR data from untrusted user input can cause: Panics: Out of bound memory access Out of memory Divide by zero Excessive memory usage Such panics can be triggered by intentionally malformed CARv1 data, including CARv1 data within a CARv2 container; and also CARv2 data with excessively large indexes. These vulnerabilities are not known to be exploited in the wild and were …

Malformed CAR panics and excessive memory usage

Decoding CAR data from untrusted user input can cause, panics, out-of-bound memory access, out of memory, divide by zero, and excessive memory usage. Such panics can be triggered by intentionally malformed CARv1 data, including CARv1 data within a CARv2 container; and also CARv2 data with excessively large indexes. These vulnerabilities are not known to be exploited in the wild and were discovered primarily with the use of code fuzzing tooling.

Malformed CAR panics and excessive memory usage

Impact Versions impacted <= go-car@v0.3.3 <= go-car@v2.3.0 Description Decoding CAR data from untrusted user input can cause: Panics: Out of bound memory access Out of memory Divide by zero Excessive memory usage Such panics can be triggered by intentionally malformed CARv1 data, including CARv1 data within a CARv2 container; and also CARv2 data with excessively large indexes. These vulnerabilities are not known to be exploited in the wild and were …

Malformed CAR panics and excessive memory usage

Out of bound memory access (OOB), out of memory (OOM) panics or excessive memory usage can be triggered by decode of malformed CARv1 headers, malformed CARv1 sections, and malformed CIDv0 data used in CARv1 sections. This also applies to CARv1 data within a CARv2 container. Additionally, we wish to use this security advisory to make clear to consumers of CARv2 format data that loading CARv2 indexes from untrusted sources is …