Skip to content

Backport security patch for GHSA-hrhf-2vcr-ghch#52

Merged
tqin7 merged 4 commits intodydx-fork-v0.38.5from
tq/security-patch-GHSA-hrhf-2vcr-ghch
Oct 14, 2025
Merged

Backport security patch for GHSA-hrhf-2vcr-ghch#52
tqin7 merged 4 commits intodydx-fork-v0.38.5from
tq/security-patch-GHSA-hrhf-2vcr-ghch

Conversation

@tqin7
Copy link
Collaborator

@tqin7 tqin7 commented Oct 14, 2025
edited
Loading

Backpor commit 5ba75e6 as part of security advisory GHSA-hrhf-2vcr-ghch

  • the other commits in this PR are necessary for 5ba75e6 to build / test successfully while fixing other medium severity bugs

PR checklist

  • Tests written/updated
  • Changelog entry added in .changelog (we use unclog to manage our changelog)
  • Updated relevant documentation (docs/ or spec/) and code comments

@tqin7 tqin7 force-pushed the tq/security-patch-GHSA-hrhf-2vcr-ghch branch 2 times, most recently from 92b3881 to 8f21cfc Compare October 14, 2025 19:26
mergify bot and others added 4 commits October 14, 2025 15:33
@mergify @melekes @tqin7
fix(bits): prevent BitArray.UnmarshalJSON from crashing on 0 bits in …
24f73ee 
…the JSON (backport cometbft#2774) (cometbft#2778)

This change fixes a bug in which BitArray.UnmarshalJSON hadn't accounted
for the fact that invoking NewBitArray(<=0) returns nil and hence when
dereferenced would crash with a runtime nil pointer dereference. This
bug was found by my security analysis and fuzzing too.

Author: @odeke-em

Fixes cometbft#2658

---

- [x] Tests written/updated
- [x] Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)
- [ ] ~~Updated relevant documentation (`docs/` or `spec/`) and code
comments~~
- [x] Title follows the [Conventional
Commits](https://www.conventionalcommits.org/en/v1.0.0/) spec
<hr>This is an automatic backport of pull request cometbft#2774 done by
[Mergify](https://mergify.com).

---------

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
@mergify @aljo242
@arsushi @almk-dev @mattac21 @technicallyty @maradini77 @tqin7
fix(consensus/reactor): reject oversized proposals (backport cometbft…
1d91992 
…#5324) (cometbft#5407)

---
Updates the consensus reactor to validate that a received proposal will
not contain more parts than the amount of chunks that it would take to
build a block whos size is equal to `ConsensusParams.Block.MaxBytes`.

Original PR is here cometbft#5309, but
reopened since the contributor stopped replying.

- [ ] Tests written/updated
- [ ] Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments
<hr>This is an automatic backport of pull request cometbft#5324 done by
[Mergify](https://mergify.com).

Co-authored-by: Alex | Interchain Labs <alex@cosmoslabs.io>
Co-authored-by: arsushi <richie@asymmetric.re>
Co-authored-by: Abdul Malek <me@almk.dev>
Co-authored-by: Matt Acciai <matt@skip.money>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Tyler <48813565+technicallyty@users.noreply.github.com>
Co-authored-by: maradini77 <140460067+maradini77@users.noreply.github.com>
@mattac21 @tqin7
Merge commit from fork
5ba75e6 
* add VaidateBasic to BitArray to ensure Bits and len(Elems) are valid

* call ValidateBasic on BitArrays when receiving as a msg from exteranl nodes

* enfore SetIndex is not setting out of bounds

* add guard to getNumTrueIndices

getNumTrueIndices will index out of bounds if Bits and Elems have a
mismatch where len(elems) != (bits+63)/64, this guard makes it simply
return 0 if this mismatch is present

* changelog

* fix missing import for v0.38.x

* update changelog for release of v0.38.19

* remove duplicate bug fixes from unreleased

* fix changelog date

* fix lint

* fix expected error string in test
@tqin7
add necessary test constants
874754b
@tqin7 tqin7 force-pushed the tq/security-patch-GHSA-hrhf-2vcr-ghch branch from 8f21cfc to 874754b Compare October 14, 2025 19:33
@tqin7 tqin7 merged commit 0235a93 into dydx-fork-v0.38.5 Oct 14, 2025
13 of 15 checks passed
@tqin7 tqin7 deleted the tq/security-patch-GHSA-hrhf-2vcr-ghch branch October 14, 2025 20:25
This was referenced Oct 14, 2025
Merged
Merged
@mergify mergify bot mentioned this pull request Oct 14, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shrenujb shrenujb shrenujb approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tqin7 @shrenujb @mattac21