Impact
It is currently possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when ipfs get is done on an affected DAG.
- The only affected command is
ipfs get.
- The gateway is not affected.
Patches
Traversal fix patched in whyrusleeping/tar-utils@20a6137
tar-utils patch applied to go-ipfs via ipfs/kubo@b7ddba7
Workarounds
Upgrade to go-ipfs 0.8 or later.
References
Binaries for the patched versions of go-ipfs are available on the IPFS distributions site, https://dist.ipfs.io/go-ipfs
For more information
If you have any questions or comments about this advisory:
References
Impact
It is currently possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when
ipfs getis done on an affected DAG.ipfs get.Patches
Traversal fix patched in whyrusleeping/tar-utils@20a6137
tar-utilspatch applied to go-ipfs via ipfs/kubo@b7ddba7Workarounds
Upgrade to go-ipfs 0.8 or later.
References
Binaries for the patched versions of go-ipfs are available on the IPFS distributions site, https://dist.ipfs.io/go-ipfs
For more information
If you have any questions or comments about this advisory:
References