Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 659282 (CVE-2018-1000544)

Summary: <dev-ruby/rubyzip-1.2.2: Directory Traversal vulnerability (CVE-2018-1000544)
Product: Gentoo Security Reporter: Florian Schuhmacher <mynt1aa>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/rubyzip/rubyzip/issues/369
Whiteboard: B3 [noglsa cve]
Package list:
dev-ruby/rubyzip-1.2.2
 Runtime testing required: ---

Description Florian Schuhmacher 2018-06-26 19:02:12 UTC 
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Hans de Graaff gentoo-dev Security 2018-06-27 04:39:34 UTC 
No upstream patches yet.
Comment 3 Hans de Graaff gentoo-dev Security 2018-09-01 06:17:51 UTC 
This has been fixed upstream in version 1.2.2, which has now been added and can be marked stable.
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-21 23:40:01 UTC 
ppc stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-21 23:40:48 UTC 
ppc64 stable
Comment 6 Hans de Graaff gentoo-dev Security 2019-01-22 06:16:42 UTC 
amd64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-23 21:27:03 UTC 
hppa stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-01-24 22:25:54 UTC 
x86 stable
Comment 9 Larry the Git Cow gentoo-dev 2019-01-30 13:20:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be348a03f8c8fc100128875e2baaf2cb09fd6653

commit be348a03f8c8fc100128875e2baaf2cb09fd6653
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-01-30 13:19:56 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-01-30 13:19:56 +0000

    dev-ruby/rubyzip-1.2.2-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/659282
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-ruby/rubyzip/rubyzip-1.2.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Markus Meier gentoo-dev 2019-01-31 20:20:14 UTC 
arm stable, all arches done.
Comment 11 Hans de Graaff gentoo-dev Security 2019-02-01 08:06:06 UTC 
cleanup done.