interesting
/
go-ethereum
mirror of https://github.com/ethereum/go-ethereum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs: add vuln info (#23517) 

* docs: add vuln info

* Update vulnerabilities.json

* vulnerabilities: add signature
This commit is contained in:
Martin Holst Swende 2021-09-07 09:29:43 +02:00 committed by GitHub
parent 94fb7c832a
commit 3501163d4f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/_vulnerabilities/vulnerabilities.json
View File

@ -112,16 +112,17 @@
],
"introduced": "v1.10.1",
"fixed": "v1.10.6",
"published": "2020-07-22",
"published": "2021-07-22",
"severity": "High",
"check": "(Geth\\/v1\\.10\\.(1|2|3|4|5)-.*)$"
},
{
"name": " EVM flaw during block processing ",
"name": "RETURNDATA corruption via datacopy",
"uid": "GETH-2021-02",
"summary": "A vulnerability in the Geth EVM could cause a node to no longer being able to process the chain. Further details about the vulnerability will be disclosed at a later date.",
"description": "The exact attack vector will be provided at a later date to give node operators and dependent downstream projects time to update their nodes and software.\n\nAll Geth versions supporting the London hard fork are vulnerable (the bug is older than London), so all users should update.\n\nCredits for the discovery go to @guidovranken (working for Sentnl during an audit of the Telos EVM) and reported via bounty@ethereum.org.",
"summary": "A consensus-flaw in the Geth EVM could cause a node to deviate from the canonical chain.",
"description": "A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different `stateRoot` when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split: mainnet splitting in two forks.\n\nAll Geth versions supporting the London hard fork are vulnerable (the bug is older than London), so all users should update.\n\nThis bug was exploited on Mainnet at block 13107518.\n\nCredits for the discovery go to @guidovranken (working for Sentnl during an audit of the Telos EVM) and reported via bounty@ethereum.org.",
"links": [
"https://github.com/ethereum/go-ethereum/blob/master/docs/postmortems/2021-08-22-split-postmortem.md",
"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq",
"https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
],

6
docs/_vulnerabilities/vulnerabilities.json.minisig
View File

@ -1,4 +1,4 @@
untrusted comment: signature from minisign secret key
RWQk7Lo5TQgd++3L4ak5YtTZati9peOJPh98Hyd3+clXS0o12nmm/WD4/7yuWHIIjBizJ74DqMesD7d2OhjwrExKEOhYnX7vrgg=
trusted comment: timestamp:1629790360 file:vulnerabilities.json
hoImXPiP448MxV7UOT/uQ1xj9jeJDGDqiFz/SVylfC5VC48bdjHTWN9LOgDGZfzLS+KIke0nDttel4vMZNg+AQ==
RWQk7Lo5TQgd+66wU0ZNQlDYTsqSFA2o1aeaPo1ccQMJK/EMFyirawrl8Rq4NJI9md6x1xUthAT0Lr3HeTIQhYBGRtYcG5su0A0=
trusted comment: timestamp:1630999630 file:vulnerabilities.json
ezWYr/g7o55e/Yb+rdnp5fZoER4zVBxsm7g0yNt0/hPUhLa86uM1hRTE1Boeg1HxajcVe+iNEmsB/rIokBq3Bg==