CGA-6652-mrpw-4ffh

Published

Last updated

https://images.chainguard.dev/security/CGA-6652-mrpw-4ffh

Package

ztunnel-fips-1.24

Repository

Chainguard

Latest Update

Fixed

Fixed Version

1.24.2-r2

Aliases

GHSA-wwq9-3cpr-mm53

Summary

Borsh serialization of HashMap is non-canonical

Description

The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding.

This can result in consensus splits and cause equivalent objects to be considered distinct.

This was patched in 0.15.1.

References

https://github.com/advisories/GHSA-wwq9-3cpr-mm53
https://github.com/rust-lang/hashbrown/issues/576
https://github.com/kayabaNerve/hashbrown-borsh-poc
https://github.com/rust-lang/hashbrown
https://rustsec.org/advisories/RUSTSEC-2024-0402.html

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-6652-mrpw-4ffh

Summary

Description

References

Updates

Products

Why Chainguard

Customers

Company

Resources