GMS-2022-2940: Malformed CAR panics and excessive memory usage
(updated )
Out of bound memory access (OOB), out of memory (OOM) panics or excessive memory usage can be triggered by decode of malformed CARv1 headers, malformed CARv1 sections, and malformed CIDv0 data used in CARv1 sections. This also applies to CARv1 data within a CARv2 container. Additionally, we wish to use this security advisory to make clear to consumers of CARv2 format data that loading CARv2 indexes from untrusted sources is dangerous and should be avoided. Where CAR data indexes are required, they should be regenerated locally. Out of memory (OOM) panics or excessive memory usage can be triggered by decode of intentionally malformed CARv2 indexes, or CARv2 indexes which are larger than available system memory (i.e. parallelization of CARv2 decodes may increase such a vulnerability).
References
Detect and mitigate GMS-2022-2940 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →