Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 778182 (CVE-2020-26279, CVE-2020-26283)

Summary: <net-p2p/go-ipfs{,-bin}-0.8.0: multiple vulnerabilities (CVE-2020-{26279,26283})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: davidroman96, hurikhan77+bgo, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/21805
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-25 14:46:05 UTC 
CVE-2020-26279 (https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g):

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1.

CVE-2020-26283 (https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm):

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0.


Please bump -bin to 0.8.0 and cleanup versions <0.8.0 for both.
Comment 1 NATTkA bot gentoo-dev Security 2021-07-29 17:23:33 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev Security 2021-07-29 17:31:56 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev Security 2021-07-29 17:39:50 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev Security 2021-07-29 17:48:01 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev Security 2021-07-29 18:03:57 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev Security 2021-07-29 18:12:16 UTC 
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2021-08-01 06:39:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17f3c97b8744ff8c88e6e23a453d46ea4b910f96

commit 17f3c97b8744ff8c88e6e23a453d46ea4b910f96
Author:     David Roman <davidroman96@gmail.com>
AuthorDate: 2021-07-29 19:05:41 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-08-01 06:39:30 +0000

    net-p2p/go-ipfs: remove old ebuild
    
    Bug: https://bugs.gentoo.org/778182
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: David Roman <davidroman96@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/21805
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-p2p/go-ipfs/Manifest             |  362 --------
 net-p2p/go-ipfs/go-ipfs-0.7.0.ebuild | 1624 ----------------------------------
 2 files changed, 1986 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 19:22:03 UTC 
go-ipfs-bin is gone, done here! Closing