From ${URL} : The Zip::File component in the rubyzip gem for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem. Upstream bug: https://github.com/rubyzip/rubyzip/issues/315 Upstream patch: https://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
dev-ruby/rubyzip-0.9.9-r2 is also vulnerable. In any case we need dev-ruby/rubyzip-1.2.1 stable first.
Stable on alpha.
arm ppc ppc64 stable.
amd64 stable
x86 stable
sparc stable
Stable for HPPA.
Ia64 won't stabilize the package.
With 1.2.1 stabilized What do we do with slot 0 - 0.9.9-r2??
(In reply to Yury German from comment #9) > With 1.2.1 stabilized > What do we do with slot 0 - 0.9.9-r2?? rubyzip:0 is only used by dev-util/cucumber. We can either stable a new major verions (but many arches have not even keyworded this) or see whether cucumber will also work with rubyzip:1.
It turns out that, as far as I can tell, cucumber no longer needs rubyzip;0 for tests. I have removed the test dependency accordingly. rubyzip:0 has now been masked for removal. rubyzip:1 vulnerable versions have been removed.
Maintainer(s), Thank you for your work. GLSA Vote: No
Tree is clean.
