Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607110 (CVE-2016-10173) - <dev-ruby/archive-tar-minitar-0.6.1: directory traversal vulnerability (CVE-2016-10173)
Summary: <dev-ruby/archive-tar-minitar-0.6.1: directory traversal vulnerability (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2016-10173
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 609422
Blocks:
  Show dependency tree
 
Reported: 2017-01-24 20:10 UTC by Agostino Sarubbo
Modified: 2017-02-22 11:26 UTC (History)
1 user (show)

See Also:
Package list:
=dev-ruby/archive-tar-minitar-0.6.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-01-24 20:10:58 UTC
From ${URL} :

Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

Issue:
https://github.com/halostatue/minitar/issues/16

Upstream patch:
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

The same issue exists in rubygem archive-tar-minitar


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2017-02-08 05:57:29 UTC
dev-ruby/archive-tar-minitar-0.6.1 is the upstream version that has this fixed. It is now in the tree.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 01:32:54 UTC
@ Arches,

please test and mark stable: =dev-ruby/archive-tar-minitar-0.6.1
Comment 3 Agostino Sarubbo gentoo-dev 2017-02-13 11:13:21 UTC
amd64 stable
Comment 4 Hans de Graaff gentoo-dev Security 2017-02-13 19:31:45 UTC
(In reply to Thomas Deutschmann from comment #2)
> @ Arches,
> 
> please test and mark stable: =dev-ruby/archive-tar-minitar-0.6.1

Arches may also consider dropping their keywords to testing. No stable packages depend on this anymore.
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-14 15:39:56 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-17 10:58:47 UTC
sparc stable
Comment 7 Michael Weber (RETIRED) gentoo-dev 2017-02-17 21:38:24 UTC
ppc ppc64 stable.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-18 13:42:56 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-18 14:46:18 UTC
ia64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-21 11:54:51 UTC
Stable on alpha.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 18:51:03 UTC
GLSA Vote: Yes

New GLSA request filed.

@ Maintainer(s): Please cleanup and drop =dev-ruby/archive-tar-minitar-0.5.4-r2!
Comment 12 Hans de Graaff gentoo-dev Security 2017-02-21 19:12:50 UTC
Cleanup done.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-02-22 11:26:50 UTC
This issue was resolved and addressed in
 GLSA 201702-32 at https://security.gentoo.org/glsa/201702-32
by GLSA coordinator Thomas Deutschmann (whissi).