Control: tags -1 pending I have uploaded a security update to address CVE-2018-1000544. Please find attached the debdiff.
Markus
diff -Nru ruby-zip-1.2.1/debian/changelog ruby-zip-1.2.1/debian/changelog --- ruby-zip-1.2.1/debian/changelog 2017-06-27 20:18:00.000000000 +0200 +++ ruby-zip-1.2.1/debian/changelog 2018-08-13 13:57:54.000000000 +0200 @@ -1,3 +1,15 @@ +ruby-zip (1.2.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2018-1000544: + rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory + Traversal vulnerability that can be exploited to write arbitrary files to + the filesystem. (Closes: #902720) + * Drop CVE-2017-5946.patch because this one was already fixed in version + 1.2.1. + + -- Markus Koschany <a...@debian.org> Mon, 13 Aug 2018 13:57:54 +0200 + ruby-zip (1.2.1-1) unstable; urgency=medium * Team upload diff -Nru ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch --- ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch 2017-06-27 20:18:00.000000000 +0200 +++ ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,23 +0,0 @@ -From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001 -From: Alexander Simonov <a...@simonov.me> -Date: Wed, 8 Feb 2017 13:43:14 +0200 -Subject: [PATCH] Fix #315 and resolve relative path vulnerability - ---- - lib/zip/entry.rb | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/lib/zip/entry.rb -+++ b/lib/zip/entry.rb -@@ -155,6 +155,11 @@ - return self - end - -+ if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/ -+ puts "WARNING: skipped \"../\" path component(s) in #{@name}" -+ return self -+ end -+ - if directory? || file? || symlink? - __send__("create_#{@ftype}", dest_path, &block) - else Binärdateien /tmp/PnO56ihERK/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part1.patch und /tmp/XzTwLOhW91/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part1.patch sind verschieden. Binärdateien /tmp/PnO56ihERK/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part2.patch und /tmp/XzTwLOhW91/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part2.patch sind verschieden. diff -Nru ruby-zip-1.2.1/debian/patches/series ruby-zip-1.2.1/debian/patches/series --- ruby-zip-1.2.1/debian/patches/series 2017-06-27 20:18:00.000000000 +0200 +++ ruby-zip-1.2.1/debian/patches/series 2018-08-13 13:57:54.000000000 +0200 @@ -1,4 +1,5 @@ require-forwardable-fix-test.patch ignore-simplecov.diff fix-random-tests-failures -CVE-2017-5946.patch +CVE-2018-1000544_part1.patch +CVE-2018-1000544_part2.patch diff -Nru ruby-zip-1.2.1/debian/source/include-binaries ruby-zip-1.2.1/debian/source/include-binaries --- ruby-zip-1.2.1/debian/source/include-binaries 1970-01-01 01:00:00.000000000 +0100 +++ ruby-zip-1.2.1/debian/source/include-binaries 2018-08-13 13:57:54.000000000 +0200 @@ -0,0 +1,2 @@ +debian/patches/CVE-2018-1000544_part1.patch +debian/patches/CVE-2018-1000544_part2.patch
signature.asc
Description: OpenPGP digital signature