CVE-2023-23625 Certain versions of Go-unixfs from Ipfs contain vulnerability (9th Feb 2023)

Preface: AI system infrastructure may not have a mature model, it will continue forever, without end. Perhaps this is true sustainability. Since the key component is the computer. So the only thing that slows him down is software or hardware bugs.


Background: Cryptocurrency technology fully utilise the concept of Blockchain. Seems the advantage of cryptocurrency is easy misused and lead it become dangerous. Therefore many government hesitate to get involves and let it fail to original objective. However their related technology will be growth rapidly. Yes, it is the IFPS. AI requires heavy amounts of storage and compute. From technical point of view, Distributing storage will be an advantage. Since the data not place in the same area. It enhance overall reliability and efficiency. AI robots will communicate using 5G. Deal with distributed data storage. Machine learning operations and processes can be fully leveraged as it breaks down regional constraints.Perhaps the distributed cloud computing platform is the beginning of milestone to boots the world into artificial intelligence world.

Large models of deep learning are often shared by researchers via Google Drive links which have transfer limits and are not reliably online. IPFS provides a great decentralized solution to hosting data which can be downloaded via regular web links.
IPFS implementation in Go. “unixfs” is a tool in the Go Modules Packages category of a tech stack.
A Merkle DAG is a DAG where each node has an identifier, and this is the result of hashing the node’s contents. go-unixfs implements unix-like filesystem utilities on top of an ipld merkledag. MerkelDAG implementation in Python.

Vulnerability details: go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes.

Solution: Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

Official announcement: For details, see the link – https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.