| Summary: | <dev-ruby/archive-tar-minitar-0.6.1: directory traversal vulnerability (CVE-2016-10173) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ruby |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2017/01/24/7 | ||
| Whiteboard: | B3 [glsa cve] | ||
| Package list: |
=dev-ruby/archive-tar-minitar-0.6.1
|
Runtime testing required: | --- |
| Bug Depends on: | 609422 | ||
| Bug Blocks: | |||
dev-ruby/archive-tar-minitar-0.6.1 is the upstream version that has this fixed. It is now in the tree. @ Arches, please test and mark stable: =dev-ruby/archive-tar-minitar-0.6.1 amd64 stable (In reply to Thomas Deutschmann from comment #2) > @ Arches, > > please test and mark stable: =dev-ruby/archive-tar-minitar-0.6.1 Arches may also consider dropping their keywords to testing. No stable packages depend on this anymore. x86 stable sparc stable ppc ppc64 stable. Stable for HPPA. ia64 stable Stable on alpha. GLSA Vote: Yes New GLSA request filed. @ Maintainer(s): Please cleanup and drop =dev-ruby/archive-tar-minitar-0.5.4-r2! Cleanup done. This issue was resolved and addressed in GLSA 201702-32 at https://security.gentoo.org/glsa/201702-32 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : Rubygem minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Issue: https://github.com/halostatue/minitar/issues/16 Upstream patch: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 The same issue exists in rubygem archive-tar-minitar @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.