GHSA-46wq-28cx-mhw4
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys
상세
### Impact
A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted `TrieChunk` whose proof contains two `TrieProofNode`s with identical keys. `TrieProof::verify()` calls `TrieProofNode::child_index()` (`primitives/src/trie/trie_proof_node.rs:94`), which unconditionally unwraps `KeyNibbles::get(self.key.len())`. Because `is_prefix_of` returns `true` for two equal keys, execution reaches `get(len)`, which returns `None`, and the `unwrap()` panics.
The panic is reached from untrusted network input (`ResponseChunk` → `commit_chunks` → `put_chunk` → `proof.verify()`) **before** any cryptographic proof verification, so the attacker does not need to produce a valid proof. Exploitation requires the attacker to be selected as the victim's sync peer while the victim is performing state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (`nimiq-primitives`).
### Patches
Fixed in **1.6.0** via https://github.com/nimiq/core-rs-albatross/pull/3789 (commit `41d35ace`). `child_index` now rejects equal-length keys and returns `MerkleRadixTrieError::WrongPrefix` instead of unwrapping.
### Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 1.6.0 Upgrade nimiq-primitives to 1.6.0 or newer (ecosystem crates.io).
참고
- https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-46wq-28cx-mhw4 [WEB]
- https://github.com/nimiq/core-rs-albatross/pull/3789 [WEB]
- https://github.com/nimiq/core-rs-albatross/commit/41d35acee1b5cf3bc34ec3ddc1abbc03604e791e [WEB]
- https://github.com/nimiq/core-rs-albatross [PACKAGE]
- https://github.com/nimiq/core-rs-albatross/releases/tag/v1.6.0 [WEB]