GO-2022-0422 Panic when decoding invalid blocks in github.com/ipld/go-codec-dagpb

The dag-pb codec can panic when decoding invalid blocks...

GHSA-G3VV-G2J5-45F2 ipld/go-codec-dagpb panics when processing certain blocks

Impact Decoding certain blocks using the go-ipld-prime version of the dag-pb codec go-codec-dagpb can cause a panic. The panic comes from an assumption that the reported link length is accurate, but if the block ends before that reported length then it’s a buffer overread. Patches The issue is...

arc-swap (>=0.3.1 <=0.4.5), ipld-collections (>=0.1.0 <=0.3.0) +3 more potentially affected by CVE-2020-36460 via model (>=0.0.4 <=0.1.2)

model CARGO version =0.0.4, =0.3.1, =0.1.0, =0.1.0, =0.13.0, =0.0.1, =0.1.5 Source cves: CVE-2020-36460 Source advisory: OSV:GHSA-MXV6-Q98X-H958...

cid (>=0.3.2 <=0.4.0), dag-cbor (=0.1.0) +41 more potentially affected by CVE-2020-35909 via multihash (=0.10.1)

multihash CARGO version =0.10.1 is affected by a known vulnerability. The following packages have a transitive dependency on multihash and may be impacted: - cid =0.3.2, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.5.1, =0.0.1, =0.0.2 - libipld =0.1.0 - libipld-base =0.1.0 - libipld-core...

arc-swap (>=0.3.1 <=0.4.5), ipld-collections (>=0.1.0 <=0.3.0) +3 more potentially affected by CVE-2020-36460 via model (>=0.0.4 <=0.1.2)

model CARGO version =0.0.4, =0.3.1, =0.1.0, =0.1.0, =0.13.0, =0.0.1, =0.1.5 Source cves: CVE-2020-36460 Source advisory: OSV:RUSTSEC-2020-0140...

cid (>=0.3.2 <=0.4.0), dag-cbor (=0.1.0) +41 more potentially affected by CVE-2020-35909 via multihash (=0.10.1)

multihash CARGO version =0.10.1 is affected by a known vulnerability. The following packages have a transitive dependency on multihash and may be impacted: - cid =0.3.2, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.5.1, =0.0.1, =0.0.2 - libipld =0.1.0 - libipld-base =0.1.0 - libipld-core...