Daemon panics when processing certain blocks
Discription

Impact go-ipfs nodes with versions 0.10.0, 0.11.0, 0.12.0, or 0.12.1 can crash when trying to traverse certain malformed graphs due to an issue in the go-codec-dagpb dependency. Vulnerable nodes that work with these malformed graphs may crash leading to denial-of-service risks. This particularly impacts nodes that download or export data that is controlled by external user input as there is the possibility that a malicious user of those services could (intentionally or unintentionally) cause the node to traverse a malformed graph. Some notable use cases include public gateways and pinning services which fetch data on behalf of users, as well as applications such as IPFS Companion which load data based on a user visiting a website with links to IPFS URLs. Patches Versions v0.11.1 and v0.12.2 both resolve this issue. This should make it easy to upgrade, even if you have not yet performed the v0.12.0 migration. For those running on forked versions of go-ipfs or who are on v0.10.0 and are having trouble with the v0.11.0 breaking changes, simply updating the version of go-codec-dagpb you are using to >=v1.3.2 should resolve the issue. Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-codec-dagpb. You can check if your Go module has a dependency on go-codec-dagpb by running a command such as go mod graph | grep go-codec-dagpb in your module root. Workarounds The best…

Back to Main

Subscribe for the latest news: