CVE-2022-23495

Name of the Vulnerable Software and Affected Versions go-merkledag versions prior to 0.8.1

Description A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A ProtoNode should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing ProtoNode using the modifier methods did not account for certain states that would place the ProtoNode into an unencodeable form. Due to conformance with the interfaces, certain methods will panic due to the inability to return an error. Additionally, use of the ProtoNode.SetCidBuilder() method to set a non-functioning CidBuilder may cause the same methods to panic as a new CID is required but cannot be created.

Recommendations To resolve the issue, upgrade to version 0.8.1 for a complete set of fixes. For users unable to upgrade, consider sanitising inputs when allowing user-input to set a new CidBuilder on a ProtoNode and sanitising Tsize (Link#Size) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.