rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem.. Gentoo Security Scout Florian Schuhmacher
No upstream patches yet.
Proposed upstream patch: https://github.com/rubyzip/rubyzip/pull/371 Debian has shipped https://sources.debian.org/src/ruby-zip/1.2.1-1.1/debian/patches/CVE-2018-1000544_part1.patch/ https://sources.debian.org/src/ruby-zip/1.2.1-1.1/debian/patches/CVE-2018-1000544_part2.patch/
This has been fixed upstream in version 1.2.2, which has now been added and can be marked stable.
ppc stable
ppc64 stable
amd64 stable
hppa stable
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be348a03f8c8fc100128875e2baaf2cb09fd6653 commit be348a03f8c8fc100128875e2baaf2cb09fd6653 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2019-01-30 13:19:56 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2019-01-30 13:19:56 +0000 dev-ruby/rubyzip-1.2.2-r0: alpha stable Bug: http://bugs.gentoo.org/659282 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-ruby/rubyzip/rubyzip-1.2.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm stable, all arches done.
cleanup done.