From ${URL} : Rubygem minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Issue: https://github.com/halostatue/minitar/issues/16 Upstream patch: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 The same issue exists in rubygem archive-tar-minitar @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
dev-ruby/archive-tar-minitar-0.6.1 is the upstream version that has this fixed. It is now in the tree.
@ Arches, please test and mark stable: =dev-ruby/archive-tar-minitar-0.6.1
amd64 stable
(In reply to Thomas Deutschmann from comment #2) > @ Arches, > > please test and mark stable: =dev-ruby/archive-tar-minitar-0.6.1 Arches may also consider dropping their keywords to testing. No stable packages depend on this anymore.
x86 stable
sparc stable
ppc ppc64 stable.
Stable for HPPA.
ia64 stable
Stable on alpha.
GLSA Vote: Yes New GLSA request filed. @ Maintainer(s): Please cleanup and drop =dev-ruby/archive-tar-minitar-0.5.4-r2!
Cleanup done.
This issue was resolved and addressed in GLSA 201702-32 at https://security.gentoo.org/glsa/201702-32 by GLSA coordinator Thomas Deutschmann (whissi).