Merge commit from fork

* Prevent empty groups (cherry picked from commit 95090a0ec1f193104ba7d6d033a490d1515e54d8) * Handle inflight proposals (cherry picked from commit 855983471882068894ed7952b592ab3e61b464b9) * No empty group with simulations * Update changelog * Set release date * updates * Update RELEASE_NOTES.md * Update RELEASE_NOTES.md --------- Co-authored-by: Alex Peters <[email protected]> Co-authored-by: Julien Robert <[email protected]>
crypto-org-chain · Feb 20, 2025 · de16a06 · de16a06
1 parent 05863f6
commit de16a06
Show file tree

Hide file tree

Showing 7 changed files with 142 additions and 130 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -58,6 +58,16 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ## [Unreleased]
 
+
+## [v0.50.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12) - 2025-02-20
+
+### Bug Fixes
+
+* [GHSA-x5vx-95h7-rv4p](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p) Fix Group module can halt chain when handling a malicious proposal
+
+
+## [v0.50.11](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11) - 2024-12-16
+
 ### Features
 
 * (crypto/keyring) [#21653](https://github.com/cosmos/cosmos-sdk/pull/21653) New Linux-only backend that adds Linux kernel's `keyctl` support.

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,20 +1,16 @@
-# Cosmos SDK v0.50.10 Release Notes
+# Cosmos SDK v0.50.12 Release Notes
 
 💬 [**Release Discussion**](https://github.com/orgs/cosmos/discussions/58)
 
 ## 🚀 Highlights
 
-For this month patch release of the v0.50.x line, some bugs were fixed.
+This patch release fixes [GHSA-x5vx-95h7-rv4p](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p).
+It resolves a `x/group` module issue that can halt chain when handling a malicious proposal.
+Only users of the `x/group` module are affected by this issue.
 
-Notably, we fixed the following:
-
-* Add the root command `module-hash-by-height` to query and retrieve module hashes at a specific height
-* `PreBlock` events (mainly `x/upgrade`) are now emitted (this time, for real)
-* A fix in runtime baseapp option ordering, giving issue when other modules were having options
+We recommended to upgrade to this patch release as soon as possible.
+When upgrading from <= v0.50.11, please use a chain upgrade to ensure that 2/3 of the validator power upgrade to v0.50.12.
 
 ## 📝 Changelog
 
-Check out the [changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.50.10/CHANGELOG.md) for an exhaustive list of changes, or [compare changes](https://github.com/cosmos/cosmos-sdk/compare/v0.50.9...v0.50.10) from the last release.
-
-Refer to the [upgrading guide](https://github.com/cosmos/cosmos-sdk/blob/release/v0.50.x/UPGRADING.md) when migrating from `v0.47.x` to `v0.50.1`.
-Note, that the next SDK release, v0.52, will not include `x/params` migration, when migrating from < v0.47, v0.50.x **or** v0.47.x, is a mandatory migration.
+Check out the [changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.50.12/CHANGELOG.md) for an exhaustive list of changes, or [compare changes](https://github.com/cosmos/cosmos-sdk/compare/v0.50.11...v0.50.12) from the last release.
diff --git a/x/group/keeper/msg_server.go b/x/group/keeper/msg_server.go
@@ -200,6 +200,10 @@ func (k Keeper) UpdateGroupMembers(goCtx context.Context, msg *group.MsgUpdateGr
 				return err
 			}
 		}
+		// ensure that group has one or more members
+		if totalWeight.IsZero() {
+			return errorsmod.Wrap(errors.ErrInvalid, "group must not be empty")
+		}
 		// Update group in the groupTable.
 		g.TotalWeight = totalWeight.String()
 		g.Version++
@@ -1145,10 +1149,8 @@ func (k Keeper) validateMembers(members []group.MemberRequest) error {
 		if _, err := math.NewNonNegativeDecFromString(member.Weight); err != nil {
 			return errorsmod.Wrap(err, "weight must be non negative")
 		}
-
 		index[member.Address] = struct{}{}
 	}
-
 	return nil
 }