{"id":"GO-2024-2831","summary":"ATX protocol validation problem in github.com/spacemeshos/go-spacemesh","details":"Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.","aliases":["CVE-2024-34360","GHSA-jcqq-g64v-gcm7"],"modified":"2024-05-20T16:03:47Z","published":"2024-05-14T16:33:28Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2831"},"references":[{"type":"ADVISORY","url":"https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7"},{"type":"FIX","url":"https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e"},{"type":"FIX","url":"https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87"},{"type":"WEB","url":"https://spacemesh.io/blog/spacemesh-white-paper-1"}],"affected":[{"package":{"name":"github.com/spacemeshos/api/release/go","ecosystem":"Go","purl":"pkg:golang/github.com/spacemeshos/api/release/go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.37.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/spacemeshos/api/release/go/spacemesh/v1"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2831.json"}},{"package":{"name":"github.com/spacemeshos/go-spacemesh","ecosystem":"Go","purl":"pkg:golang/github.com/spacemeshos/go-spacemesh"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.5.2-hotfix1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/spacemeshos/go-spacemesh/activation","symbols":["Handler.HandleGossipAtx","Handler.SyntacticallyValidateDeps","Handler.processATX","Handler.storeAtx"]},{"path":"github.com/spacemeshos/go-spacemesh/events","symbols":["CloseEventReporter","EmitAtxPublished","EmitBeacon","EmitEligibilities","EmitInitComplete","EmitInitFailure","EmitInitStart","EmitInvalidPostProof","EmitOwnMalfeasanceProof","EmitPoetWaitProof","EmitPoetWaitRound","EmitPostComplete","EmitPostFailure","EmitPostServiceStarted","EmitPostServiceStopped","EmitPostStart","EmitProposal","InitializeReporter","LayerUpdate.Field","ReportAccountUpdate","ReportError","ReportLayerUpdate","ReportMalfeasance","ReportNewActivation","ReportNewTx","ReportNodeStatusUpdate","ReportProposal","ReportResult","ReportRewardReceived","ReportTxWithValidity","SubcribeProposals","Subscribe","SubscribeAccount","SubscribeActivations","SubscribeErrors","SubscribeLayers","SubscribeMalfeasance","SubscribeMatched","SubscribeRewards","SubscribeStatus","SubscribeToLayers","SubscribeTxs","SubscribeUserEvents","ToMalfeasancePB"]},{"path":"github.com/spacemeshos/go-spacemesh/malfeasance","symbols":["Handler.HandleSyncedMalfeasanceProof","Validate"]},{"path":"github.com/spacemeshos/go-spacemesh/malfeasance/wire","symbols":["AtxProof.DecodeScale","AtxProof.MarshalLogObject","AtxProofMsg.DecodeScale","AtxProofMsg.SignedBytes","BallotProof.DecodeScale","BallotProof.MarshalLogObject","BallotProofMsg.DecodeScale","BallotProofMsg.SignedBytes","HareMetadata.DecodeScale","HareMetadata.ToBytes","HareProof.DecodeScale","HareProof.MarshalLogObject","HareProofMsg.DecodeScale","HareProofMsg.SignedBytes","InvalidPostIndexProof.DecodeScale","InvalidPostIndexProof.EncodeScale","MalfeasanceGossip.DecodeScale","MalfeasanceGossip.EncodeScale","MalfeasanceInfo","MalfeasanceProof.DecodeScale","MalfeasanceProof.EncodeScale","MalfeasanceProof.MarshalLogObject","Proof.DecodeScale","Proof.EncodeScale"]},{"path":"github.com/spacemeshos/go-spacemesh/node","symbols":["App.setupDBs","App.verifyDB"]},{"path":"github.com/spacemeshos/go-spacemesh/sql/atxs","symbols":["Add","AddGettingNonce","IterateIDsByEpoch"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2831.json"}}],"schema_version":"1.7.3"}