Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778182 (CVE-2020-26279, CVE-2020-26283) - <net-p2p/go-ipfs{,-bin}-0.8.0: multiple vulnerabilities (CVE-2020-{26279,26283})
Summary: <net-p2p/go-ipfs{,-bin}-0.8.0: multiple vulnerabilities (CVE-2020-{26279,26283})
Status: RESOLVED FIXED
Alias: CVE-2020-26279, CVE-2020-26283
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-03-25 14:46 UTC by John Helmert III
Modified: 2021-10-17 19:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 14:46:05 UTC 
CVE-2020-26279 (https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g):

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1.

CVE-2020-26283 (https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm):

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0.


Please bump -bin to 0.8.0 and cleanup versions <0.8.0 for both.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:23:33 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:56 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:39:50 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:48:01 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:57 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:12:16 UTC 
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2021-08-01 06:39:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17f3c97b8744ff8c88e6e23a453d46ea4b910f96

commit 17f3c97b8744ff8c88e6e23a453d46ea4b910f96
Author:     David Roman <davidroman96@gmail.com>
AuthorDate: 2021-07-29 19:05:41 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-08-01 06:39:30 +0000

    net-p2p/go-ipfs: remove old ebuild
    
    Bug: https://bugs.gentoo.org/778182
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: David Roman <davidroman96@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/21805
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-p2p/go-ipfs/Manifest             |  362 --------
 net-p2p/go-ipfs/go-ipfs-0.7.0.ebuild | 1624 ----------------------------------
 2 files changed, 1986 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 19:22:03 UTC 
go-ipfs-bin is gone, done here! Closing