data/reports: add GO-2024-3112

  - data/reports/GO-2024-3112.yaml

Fixes #3112

Change-Id: I8994a6237e57ed892704ca4841a1ad8ed28090e1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/613258
Auto-Submit: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>

Author: tatianab

data/osv/GO-2024-3112.json

@@ -0,0 +1,298 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3112",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-g5xx-c4hv-9ccc"
+  ],
+  "summary": "CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft",
+  "details": "CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cometbft/cometbft",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.37.0"
+            },
+            {
+              "fixed": "0.37.11"
+            },
+            {
+              "introduced": "0.38.0"
+            },
+            {
+              "fixed": "0.38.12"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cometbft/cometbft/light",
+            "symbols": [
+              "Client.TrustedLightBlock",
+              "Client.Update",
+              "Client.VerifyHeader",
+              "Client.VerifyLightBlockAtHeight",
+              "Client.compareFirstHeaderWithWitnesses",
+              "Client.compareNewHeaderWithWitness",
+              "Client.detectDivergence",
+              "Client.findNewPrimary",
+              "Client.initializeWithTrustOptions",
+              "ErrInvalidHeader.Error",
+              "ErrNewValSetCantBeTrusted.Error",
+              "ErrOldHeaderExpired.Error",
+              "ErrVerificationFailed.Error",
+              "NewClient",
+              "NewClientFromTrustedStore",
+              "NewHTTPClient",
+              "NewHTTPClientFromTrustedStore",
+              "TrustOptions.ValidateBasic",
+              "ValidateTrustLevel",
+              "Verify",
+              "VerifyAdjacent",
+              "VerifyBackwards",
+              "VerifyNonAdjacent",
+              "errBadWitness.Error",
+              "errConflictingHeaders.Error"
+            ]
+          },
+          {
+            "path": "github.com/cometbft/cometbft/types",
+            "symbols": [
+              "ABCIParams.VoteExtensionsEnabled",
+              "Block.Hash",
+              "Block.HashesTo",
+              "Block.MakePartSet",
+              "Block.Size",
+              "Block.String",
+              "Block.StringIndented",
+              "Block.StringShort",
+              "Block.ToProto",
+              "Block.ValidateBasic",
+              "BlockFromProto",
+              "BlockID.Key",
+              "BlockID.String",
+              "BlockID.ValidateBasic",
+              "BlockIDFromProto",
+              "BlockMeta.ValidateBasic",
+              "BlockMetaFromProto",
+              "BlockMetaFromTrustedProto",
+              "CanonicalTime",
+              "CanonicalizeBlockID",
+              "CanonicalizeProposal",
+              "CanonicalizeVote",
+              "Commit.GetVote",
+              "Commit.Hash",
+              "Commit.StringIndented",
+              "Commit.ToVoteSet",
+              "Commit.ValidateBasic",
+              "Commit.VoteSignBytes",
+              "CommitFromProto",
+              "CommitSig.BlockID",
+              "CommitSig.FromProto",
+              "CommitSig.String",
+              "CommitSig.ValidateBasic",
+              "ConsensusParams.ValidateBasic",
+              "ConsensusParams.ValidateUpdate",
+              "Data.StringIndented",
+              "DuplicateVoteEvidence.Bytes",
+              "DuplicateVoteEvidence.Hash",
+              "DuplicateVoteEvidence.String",
+              "DuplicateVoteEvidence.ValidateBasic",
+              "DuplicateVoteEvidenceFromProto",
+              "ErrEvidenceOverflow.Error",
+              "ErrInvalidCommitHeight.Error",
+              "ErrInvalidCommitSignatures.Error",
+              "ErrInvalidEvidence.Error",
+              "ErrNotEnoughVotingPowerSigned.Error",
+              "ErrVoteConflictingVotes.Error",
+              "ErrVoteExtensionInvalid.Error",
+              "EventBus.OnStart",
+              "EventBus.OnStop",
+              "EventBus.PublishEventNewBlock",
+              "EventBus.PublishEventNewBlockEvents",
+              "EventBus.PublishEventTx",
+              "EventQueryTxFor",
+              "EvidenceData.ByteSize",
+              "EvidenceData.FromProto",
+              "EvidenceData.Hash",
+              "EvidenceData.StringIndented",
+              "EvidenceData.ToProto",
+              "EvidenceFromProto",
+              "EvidenceList.Has",
+              "EvidenceList.Hash",
+              "EvidenceList.String",
+              "EvidenceToProto",
+              "ExtendedCommit.EnsureExtensions",
+              "ExtendedCommit.GetByIndex",
+              "ExtendedCommit.GetExtendedVote",
+              "ExtendedCommit.ToExtendedVoteSet",
+              "ExtendedCommit.ValidateBasic",
+              "ExtendedCommitFromProto",
+              "ExtendedCommitSig.EnsureExtension",
+              "ExtendedCommitSig.FromProto",
+              "ExtendedCommitSig.String",
+              "ExtendedCommitSig.ValidateBasic",
+              "GenesisDoc.SaveAs",
+              "GenesisDoc.ValidateAndComplete",
+              "GenesisDoc.ValidatorHash",
+              "GenesisDocFromFile",
+              "GenesisDocFromJSON",
+              "Header.Hash",
+              "Header.StringIndented",
+              "Header.ValidateBasic",
+              "HeaderFromProto",
+              "LightBlock.String",
+              "LightBlock.StringIndented",
+              "LightBlock.ToProto",
+              "LightBlock.ValidateBasic",
+              "LightBlockFromProto",
+              "LightClientAttackEvidence.Bytes",
+              "LightClientAttackEvidence.Hash",
+              "LightClientAttackEvidence.String",
+              "LightClientAttackEvidence.ToProto",
+              "LightClientAttackEvidence.ValidateBasic",
+              "LightClientAttackEvidenceFromProto",
+              "MakeBlock",
+              "MakeExtCommit",
+              "MakeVote",
+              "MakeVoteNoError",
+              "MaxDataBytes",
+              "MaxDataBytesNoEvidence",
+              "MockPV.SignProposal",
+              "MockPV.SignVote",
+              "MockPV.String",
+              "NewBlockMeta",
+              "NewDuplicateVoteEvidence",
+              "NewErroringMockPV",
+              "NewMockDuplicateVoteEvidence",
+              "NewMockDuplicateVoteEvidenceWithValidator",
+              "NewMockPV",
+              "NewValidatorSet",
+              "Part.String",
+              "Part.StringIndented",
+              "Part.ValidateBasic",
+              "PartFromProto",
+              "PartSet.AddPart",
+              "PartSet.MarshalJSON",
+              "PartSet.StringShort",
+              "PartSetHeader.String",
+              "PartSetHeader.ValidateBasic",
+              "PartSetHeaderFromProto",
+              "Proposal.String",
+              "Proposal.ValidateBasic",
+              "ProposalFromProto",
+              "ProposalSignBytes",
+              "QueryForEvent",
+              "RandValidator",
+              "RandValidatorSet",
+              "SignAndCheckVote",
+              "SignedHeader.String",
+              "SignedHeader.StringIndented",
+              "SignedHeader.ValidateBasic",
+              "SignedHeaderFromProto",
+              "Tx.String",
+              "TxProof.Validate",
+              "TxProofFromProto",
+              "Txs.Validate",
+              "ValidateHash",
+              "Validator.Bytes",
+              "Validator.String",
+              "Validator.ToProto",
+              "Validator.ValidateBasic",
+              "ValidatorFromProto",
+              "ValidatorListString",
+              "ValidatorSet.CopyIncrementProposerPriority",
+              "ValidatorSet.GetProposer",
+              "ValidatorSet.Hash",
+              "ValidatorSet.IncrementProposerPriority",
+              "ValidatorSet.Iterate",
+              "ValidatorSet.String",
+              "ValidatorSet.StringIndented",
+              "ValidatorSet.ToProto",
+              "ValidatorSet.TotalVotingPower",
+              "ValidatorSet.UpdateWithChangeSet",
+              "ValidatorSet.ValidateBasic",
+              "ValidatorSet.VerifyCommit",
+              "ValidatorSet.VerifyCommitLight",
+              "ValidatorSet.VerifyCommitLightAllSignatures",
+              "ValidatorSet.VerifyCommitLightTrusting",
+              "ValidatorSet.VerifyCommitLightTrustingAllSignatures",
+              "ValidatorSet.findProposer",
+              "ValidatorSetFromExistingValidators",
+              "ValidatorSetFromProto",
+              "VerifyCommit",
+              "VerifyCommitLight",
+              "VerifyCommitLightAllSignatures",
+              "VerifyCommitLightTrusting",
+              "VerifyCommitLightTrustingAllSignatures",
+              "Vote.CommitSig",
+              "Vote.ExtendedCommitSig",
+              "Vote.String",
+              "Vote.ValidateBasic",
+              "Vote.Verify",
+              "Vote.VerifyExtension",
+              "Vote.VerifyVoteAndExtension",
+              "VoteExtensionSignBytes",
+              "VoteFromProto",
+              "VoteSet.AddVote",
+              "VoteSet.BitArrayByBlockID",
+              "VoteSet.BitArrayString",
+              "VoteSet.HasAll",
+              "VoteSet.HasTwoThirdsAny",
+              "VoteSet.LogString",
+              "VoteSet.MakeExtendedCommit",
+              "VoteSet.MarshalJSON",
+              "VoteSet.SetPeerMaj23",
+              "VoteSet.String",
+              "VoteSet.StringIndented",
+              "VoteSet.StringShort",
+              "VoteSet.VoteStrings",
+              "VoteSignBytes"
+            ]
+          }
+        ],
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0.34.0"
+              },
+              {
+                "fixed": "0.34.34"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/commit/3937e00a339ee6b861d75997b4f6c87d867b74f2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/commit/52c00a537f8f56ed94b4a5c8af6e3fecff468b55"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3112",
+    "review_status": "REVIEWED"
+  }
+}