Merge remote-tracking branch 'origin/v0.39.x-celestia' into wt-2949b

# Conflicts:
#	consensus/byzantine_test.go

Author: rootulp

.changelog/unreleased/bug-fixes/2843-exec-commit-block-blobtx-stripping.md

@@ -0,0 +1,3 @@
+- Strip BlobTx wrappers in `ExecCommitBlock` to match `applyBlock` behavior,
+  fixing a crash recovery replay determinism issue where different transaction
+  bytes were sent to `FinalizeBlock` during replay vs normal execution.

.changelog/unreleased/bug-fixes/blocksync-extcommit-validation.md

@@ -0,0 +1,3 @@
+- `[blocksync]` Cross-validate ExtendedCommit against LastCommit before
+  persisting during block sync to prevent a malicious peer from injecting a
+  corrupted ExtendedCommit that causes a panic on consensus restart.

.changelog/unreleased/bug-fixes/lca-pubkey-address-binding.md

@@ -0,0 +1,3 @@
+- `[evidence]` Add PubKey-to-Address binding check in
+  `validateABCIEvidence` to prevent LightClientAttackEvidence with swapped
+  PubKeys from redirecting slash attribution to innocent validators.

.changelog/unreleased/bug-fixes/lcae-nil-signed-header.md

@@ -0,0 +1,3 @@
+- `[types]` Validate that `LightClientAttackEvidence.ConflictingBlock.SignedHeader`
+  is non-nil in `ValidateBasic` to prevent a nil pointer panic during block
+  deserialization. Backported from cometbft/cometbft#5757.

.changelog/unreleased/bug-fixes/seentx-per-peer-request-limit.md

@@ -0,0 +1,3 @@
+- Enforce `maxRequestsPerPeer` on the direct SeenTx→requestTx path in the
+  CAT mempool reactor. Previously, a peer could bypass the 30-request per-peer
+  cap by sending SeenTx messages without signer/sequence information.

.changelog/unreleased/bug-fixes/seentx-set-unbounded-growth.md

@@ -0,0 +1,4 @@
+- Cap `SeenTxSet` to 10,000,000 entries (~5 GB worst-case) to prevent
+  unbounded memory growth from malicious peers flooding SeenTx messages
+  with random tx keys.
+  ([\#CELESTIA-256](https://github.com/celestiaorg/celestia-core/issues/CELESTIA-256))

.changelog/unreleased/bug-fixes/socket-client-query-sequence.md

@@ -0,0 +1,3 @@
+- `[abci/client]` Add missing `QuerySequence` case to `resMatchesReq` in socket
+  client, which caused the client to treat a valid `QuerySequence` response as
+  unexpected and terminate the connection.

.github/CODEOWNERS

@@ -1,10 +1,8 @@
-# CODEOWNERS: https://help.github.com/articles/about-codeowners/
+# CODEOWNERS: <https://help.github.com/articles/about-codeowners/>
 
-# Everything goes through the following "global owners" by default.
-# Unless a later match takes precedence, these three will be
-# requested for review when someone opens a PR.
-# Note that the last matching pattern takes precedence, so
-# global owners are only requested if there isn't a more specific
-# codeowner specified below. For this reason, the global codeowners
-# are often repeated in package-level definitions.
-*     @rach-id @evan-forbes @mcrakhman @ninabarbakadze
+# Everything goes through the protocol team by default. The team's review
+# assignment settings control how many reviewers are auto-assigned per PR.
+# See: https://github.com/orgs/celestiaorg/teams/protocol/edit/review_assignment
+
+# global owners
+* @celestiaorg/protocol

abci/client/socket_client.go

@@ -504,6 +504,8 @@ func resMatchesReq(req *types.Request, res *types.Response) (ok bool) {
 		_, ok = res.Value.(*types.Response_ProcessProposal)
 	case *types.Request_FinalizeBlock:
 		_, ok = res.Value.(*types.Response_FinalizeBlock)
+	case *types.Request_QuerySequence:
+		_, ok = res.Value.(*types.Response_QuerySequence)
 	}
 	return ok
 }

abci/client/socket_client_test.go

@@ -195,6 +195,34 @@ func TestCallbackInvokedWhenSetLate(t *testing.T) {
 	require.True(t, called)
 }
 
+// TestQuerySequenceCrashesSocketClient reproduces a vulnerability where calling
+// QuerySequence over the socket ABCI transport causes the client to stop with
+// an error because resMatchesReq is missing the QuerySequence case. When this
+// happens in production, killTMOnClientError terminates the entire node.
+// A remote peer can trigger this by sending a SeenTx message with a non-empty
+// Signer field, which causes the CAT mempool reactor to call QuerySequence
+// before validating the message fields.
+func TestQuerySequenceCrashesSocketClient(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	app := types.BaseApplication{}
+	_, c := setupClientServer(t, app)
+
+	// Call QuerySequence over the socket transport. If the bug is present,
+	// the socket client will stop itself because resMatchesReq returns false
+	// for Request_QuerySequence <-> Response_QuerySequence.
+	resp, err := c.QuerySequence(ctx, &types.RequestQuerySequence{
+		Signer: []byte("test-signer"),
+	})
+
+	// With the bug: err != nil and c.Error() != nil (client stopped itself).
+	// With the fix: err == nil, resp is valid, client remains running.
+	require.NoError(t, err, "QuerySequence should not cause socket client error")
+	require.NotNil(t, resp, "QuerySequence should return a response")
+	require.NoError(t, c.Error(), "socket client should still be running without error")
+}
+
 type blockedABCIApplication struct {
 	wg *sync.WaitGroup
 	types.BaseApplication