NOTICE: upstream security vulnerability -- please upgrade go and go-libp2p immediately

This is a quick public announcement to request users of go-libp2p to:

  1. upgrade their go installations to v1.14.7 and v1.13.15 —and—
  2. upgrade their go-libp2p-* dependencies to the latest released versions

in order to secure their applications against the following vulnerability investigated, reported and confirmed by Eth2 and libp2p contributors Diederik Loerakker (protolambda), Jonny Rhea (@jrhea) Raúl Kripalani (@raul), and Preston Van Loon (@prestonvanloon).

  • encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

With the update, ReadUvarint and ReadVarint now always return after consuming a bounded number of bytes (specifically, MaxVarintLen64, which is 10). The result being returned has not changed; the functions merely detect and return some errors without reading as much input.

Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this issue.

This issue is CVE-2020-16845 and Go issue golang.org/issue/40618.

Go announcement: https://groups.google.com/g/golang-announce/c/NyPIaucMgXo/m/GdsyQP6QAAAJ

The bug allows an attacker to induce high CPU usage in your application; it does not leak private data or allow remote code execution.

The libp2p community takes security seriously. Within 24h of the report and confirmation, the libp2p team at Protocol Labs had patched the affected go-libp2p modules, and had produced patch releases to safeguard our community and user base against potential zero-day attacks that attempted exploit that upstream bug.

We (the cited researchers) then proceeded to responsibly disclose to the Go security team, to which we are very grateful for the swift reaction.