security: fixes OOM DoS vulnerability. upgrade gnark-crypto v0.12.1 → v0.20.1#20
Open
chris-mercer wants to merge 6 commits into
Open
security: fixes OOM DoS vulnerability. upgrade gnark-crypto v0.12.1 → v0.20.1#20chris-mercer wants to merge 6 commits into
chris-mercer wants to merge 6 commits into
Conversation
Go 1.21 reached end-of-life in August 2024 with no security patches. This is the primary ETC client — cannot ship on EOL toolchain. Changes: - go.mod: Go 1.21 → 1.24 - Dockerfiles: golang:1.22-alpine → golang:1.24-alpine - CI workflows: all 8 workflow files updated to Go 1.24 - Remove fjl/memsize dependency (incompatible with Go 1.23+ due to runtime.stopTheWorld linkname restriction, no upstream fix available) - Fix Go 1.24 non-constant format string vet errors in 7 test files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
blst v0.3.11 used `typedef _Bool bool` which C23-aware GCC in golang:1.24-alpine rejects (bool is a keyword in C23). v0.3.14 includes explicit C23 harmonization and Go 1.24 support. Also added -std=gnu11 to gotool.go CGO_CFLAGS as defense-in-depth against future C23 typedef issues from any CGO dependency. The Dockerfile ENV approach was ineffective because gotool.go unconditionally overrides CGO_CFLAGS. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go 1.24 reached end-of-life on 2026-02-11. Go 1.26.1 is the current stable release. The x/tools package required updating for Go 1.26 compatibility, which cascaded to x/crypto, x/net, x/sys, x/sync, x/text, and x/mod. Changes: - go.mod: Go 1.24 → 1.26 - golang.org/x/tools v0.21 → v0.43 (Go 1.26 compat) - golang.org/x/crypto v0.31 → v0.49 (cascading dep) - golang.org/x/net v0.33 → v0.52 (cascading dep) - golang.org/x/sys v0.28 → v0.42 (cascading dep) - golang.org/x/sync v0.10 → v0.20 (cascading dep) - golang.org/x/text v0.21 → v0.35 (cascading dep) - golang.org/x/mod v0.17 → v0.34 (cascading dep) - All 8 CI workflows: go-version 1.24 → 1.26 - Both Dockerfiles: golang:1.24-alpine → golang:1.26-alpine Verified: go build ./..., go vet ./..., go mod tidy (clean) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Latest stable release (Sep 2024). Includes lifted limitation for 384-bit modular inversion and hardened operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Brings x/time to current release. Used in p2p/dnsdisc rate limiting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
….1.0 Fixes GO-2025-4087: unchecked memory allocation during Vector deserialization allows OOM DoS via crafted payloads. gnark-crypto v0.20.1 requires updated go-kzg-4844 v1.1.0 due to API change (blob parameters changed from value to pointer). Updated kzg4844_gokzg.go wrapper accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
chris-mercer
force-pushed
the
security/deps-gnark-crypto
branch
from
efabfc6 to
8f4d7a8
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates cryptography dependencies to address an OOM DoS vector in gnark-crypto deserialization and adjusts related tooling/wrappers to stay compatible with the upgraded libraries and Go toolchain.
Changes:
- Upgrade
github.com/consensys/gnark-cryptoto v0.20.1 (and related dependency cascade) and bumpgo-kzg-4844to v1.1.0. - Update the Go KZG wrapper to match the new
go-kzg-4844API (blob arguments now passed by pointer). - Bump Go/tooling to 1.26 across module, CI, and Dockerfiles; remove the
fjl/memsizedebug endpoint and fix vet-unfriendly test logging/formatting.
Reviewed changes
Copilot reviewed 21 out of 22 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| metrics/json_test.go | Fix t.Fatalf to use a constant format string (vet compliance). |
| internal/debug/flags.go | Remove memsizeui import/state and /memsize/ pprof handler wiring. |
| internal/build/gotool.go | Add -std=gnu11 to CGO C flags for C compiler compatibility. |
| go.sum | Reflect updated direct/indirect dependency versions and removals. |
| go.mod | Bump Go version to 1.26 and update required module versions (gnark-crypto, go-kzg, blst, x/*). |
| crypto/kzg4844/kzg4844_gokzg.go | Update go-kzg calls to pass blobs by pointer per v1.x API. |
| core/rawdb/accessors_chain_test.go | Fix t.Fatalf to use a constant format string (vet compliance). |
| cmd/rlpdump/main.go | Make Fprintf usage explicit with a format string. |
| cmd/geth/main.go | Remove debug.Memsize.Add(...) usage. |
| cmd/geth/logging_test.go | Fix t.Logf calls to use constant format strings (vet compliance). |
| cmd/evm/t8n_test.go | Fix t.Logf calls to use constant format strings (vet compliance). |
| accounts/abi/unpack_test.go | Fix incorrect t.Fatalf formatting when hex decode fails. |
| Dockerfile.alltools | Update builder image to golang:1.26-alpine. |
| Dockerfile | Update builder image to golang:1.26-alpine. |
| .github/workflows/test-linux.yml | Update CI Go version to 1.26. |
| .github/workflows/release-packages.yml | Update CI Go version to 1.26. |
| .github/workflows/go-generate-check.yml | Update CI Go version to 1.26. |
| .github/workflows/evmc.yml | Update CI Go version to 1.26. |
| .github/workflows/bench-vm.yml | Update CI Go version to 1.26. |
| .github/workflows/bench-trie.yml | Update CI Go version to 1.26. |
| .github/workflows/bench-core.yml | Update CI Go version to 1.26. |
| .github/workflows/audit-bootnodes.yml | Update CI Go version to 1.26. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades
consensys/gnark-cryptofrom v0.12.1 to v0.20.1, fixing GO-2025-4087 — an unchecked memory allocation during Vector deserialization that allows remote OOM DoS via crafted payloads.Also upgrades
crate-crypto/go-kzg-4844from v0.7.0 to v1.1.0 for API compatibility (blob parameters changed from pass-by-value to pass-by-pointer in the newer gnark-crypto release).Vulnerability
Vector.ReadFrom(),Vector.AsyncReadFrom(),Vector.UnmarshalBinary()across 20+ curve packages do not validate allocation sizes, allowing memory exhaustion via crafted inputs.Changes
go.mod: gnark-crypto v0.12.1 → v0.20.1, go-kzg-4844 v0.7.0 → v1.1.0crypto/kzg4844/kzg4844_gokzg.go: updated wrapper to use pointer casts for blob arguments (API change in go-kzg-4844 v1.x)Dependencies
Requires PR #10 (Go 1.26 upgrade) to be merged first. This PR was branched from #10's branch, so it inherits and layers on top of those changes. gnark-crypto v0.20.1 uses Go generics and requires Go 1.22+; #10 upgrades from Go 1.21 to 1.26.
Verification
go build ./...— cleango vet ./...— cleango mod tidy— no changesReferences
Road to Olympia — Core-Geth Modernization March
Developed by White B0x Inc. for Ethereum Classic DAO LLC
🤖 Generated with Claude Code
Merge Order