x/vulndb: potential Go vuln in github.com/ipfs/go-ipfs: GHSA-27pv-q55r-222g

[GoVulnBot]

In GitHub Security Advisory GHSA-27pv-q55r-222g, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/ipfs/go-ipfs	0.8.0	< 0.8.0

Cross references:

• CVE-2020-26279 appears in issue x/vulndb: potential Go vuln in github.com/ipfs/go-ipfs: GHSA-27pv-q55r-222g #779 NOT_IMPORTABLE
• GHSA-27pv-q55r-222g appears in issue x/vulndb: potential Go vuln in github.com/ipfs/go-ipfs: GHSA-27pv-q55r-222g #779 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 0.8.0
    packages:
      - package: github.com/ipfs/go-ipfs
description: |-
    ### Impact
    It is currently possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when `ipfs get` is done on an affected DAG.

    1. The only affected command is `ipfs get`.
    2. The gateway is not affected.

    ### Patches
    Traversal fix patched in https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227
    `tar-utils` patch applied to go-ipfs via https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2

    ### Workarounds
    Upgrade to go-ipfs 0.8 or later.

    ### References
    Binaries for the patched versions of go-ipfs are available on the IPFS distributions site, https://dist.ipfs.io/go-ipfs

    ### For more information
    If you have any questions or comments about this advisory:
    * Open an issue in [go-ipfs](https://github.com/ipfs/go-ipfs)
    * Email us at [[email protected]](mailto:[email protected])
cves:
  - CVE-2020-26279
ghsas:
  - GHSA-27pv-q55r-222g

[tatianab]

Duplicate of #779