Bug#902720: CVE-2018-1000544

Markus Koschany Wed, 15 Aug 2018 03:36:24 -0700

Control: tags -1 pending

I have uploaded a security update to address CVE-2018-1000544. Please
find attached the debdiff.


Markus

diff -Nru ruby-zip-1.2.1/debian/changelog ruby-zip-1.2.1/debian/changelog
--- ruby-zip-1.2.1/debian/changelog     2017-06-27 20:18:00.000000000 +0200
+++ ruby-zip-1.2.1/debian/changelog     2018-08-13 13:57:54.000000000 +0200
@@ -1,3 +1,15 @@
+ruby-zip (1.2.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-1000544:
+    rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory
+    Traversal vulnerability that can be exploited to write arbitrary files to
+    the filesystem. (Closes: #902720)
+  * Drop CVE-2017-5946.patch because this one was already fixed in version
+    1.2.1.
+
+ -- Markus Koschany <a...@debian.org>  Mon, 13 Aug 2018 13:57:54 +0200
+
 ruby-zip (1.2.1-1) unstable; urgency=medium
 
   * Team upload
diff -Nru ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch 
ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch
--- ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch   2017-06-27 
20:18:00.000000000 +0200
+++ ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch   1970-01-01 
01:00:00.000000000 +0100
@@ -1,23 +0,0 @@
-From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
-From: Alexander Simonov <a...@simonov.me>
-Date: Wed, 8 Feb 2017 13:43:14 +0200
-Subject: [PATCH] Fix #315 and resolve relative path vulnerability
-
----
- lib/zip/entry.rb | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/lib/zip/entry.rb
-+++ b/lib/zip/entry.rb
-@@ -155,6 +155,11 @@
-         return self
-       end
- 
-+      if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
-+        puts "WARNING: skipped \"../\" path component(s) in #{@name}"
-+        return self
-+      end
-+
-       if directory? || file? || symlink?
-         __send__("create_#{@ftype}", dest_path, &block)
-       else
Binärdateien 
/tmp/PnO56ihERK/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part1.patch und 
/tmp/XzTwLOhW91/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part1.patch sind 
verschieden.
Binärdateien 
/tmp/PnO56ihERK/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part2.patch und 
/tmp/XzTwLOhW91/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part2.patch sind 
verschieden.
diff -Nru ruby-zip-1.2.1/debian/patches/series 
ruby-zip-1.2.1/debian/patches/series
--- ruby-zip-1.2.1/debian/patches/series        2017-06-27 20:18:00.000000000 
+0200
+++ ruby-zip-1.2.1/debian/patches/series        2018-08-13 13:57:54.000000000 
+0200
@@ -1,4 +1,5 @@
 require-forwardable-fix-test.patch
 ignore-simplecov.diff
 fix-random-tests-failures
-CVE-2017-5946.patch
+CVE-2018-1000544_part1.patch
+CVE-2018-1000544_part2.patch
diff -Nru ruby-zip-1.2.1/debian/source/include-binaries 
ruby-zip-1.2.1/debian/source/include-binaries
--- ruby-zip-1.2.1/debian/source/include-binaries       1970-01-01 
01:00:00.000000000 +0100
+++ ruby-zip-1.2.1/debian/source/include-binaries       2018-08-13 
13:57:54.000000000 +0200
@@ -0,0 +1,2 @@
+debian/patches/CVE-2018-1000544_part1.patch
+debian/patches/CVE-2018-1000544_part2.patch

signature.asc
Description: OpenPGP digital signature

Bug#902720: CVE-2018-1000544

Reply via email to