Hello community, here is the log from the commit of package rubygem-archive-tar-minitar for openSUSE:Factory checked in at 2017-02-02 15:43:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-archive-tar-minitar (Old) and /work/SRC/openSUSE:Factory/.rubygem-archive-tar-minitar.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-archive-tar-minitar" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-archive-tar-minitar/rubygem-archive-tar-minitar.changes 2014-10-15 08:52:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-archive-tar-minitar.new/rubygem-archive-tar-minitar.changes 2017-02-03 20:00:01.921225125 +0100 @@ -1,0 +2,7 @@ +Fri Jan 27 17:42:20 UTC 2017 - jmassaguer...@suse.com + +- fix CVE-2016-10173 (bsc#1021740): rubygem-minitar, + rubygem-archive-tar-minitar: directory traversal vulnerability + bsc_1021740.patch: contains the fix + +------------------------------------------------------------------- New: ---- bsc_1021740.patch gem2rpm.yml ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-archive-tar-minitar.spec ++++++ --- /var/tmp/diff_new_pack.0kSc1e/_old 2017-02-03 20:00:02.761106908 +0100 +++ /var/tmp/diff_new_pack.0kSc1e/_new 2017-02-03 20:00:02.841095650 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-archive-tar-minitar # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,13 @@ # +# +# This file was generated with a gem2rpm.yml and not just plain gem2rpm. +# All sections marked as MANUAL, license headers, summaries and descriptions +# can be maintained in that file. Please consult this file before editing any +# of those fields +# + Name: rubygem-archive-tar-minitar Version: 0.5.2 Release: 0 @@ -29,6 +36,10 @@ BuildRequires: update-alternatives Url: http://rubyforge.org/projects/ruwiki/ Source: http://rubygems.org/gems/%{mod_full_name}.gem +Source1: gem2rpm.yml +# MANUAL +Patch0: bsc_1021740.patch +# /MANUAL Summary: Provides POSIX tarchive management from Ruby programs License: GPL-2.0+ or Ruby Group: Development/Languages/Ruby @@ -41,6 +52,10 @@ rpa-base, but has been reorganised to promote reuse in other projects. %prep +%gem_unpack +%patch0 -p1 +find -type f -print0 | xargs -0 touch -r %{S:0} +%gem_build %build ++++++ bsc_1021740.patch ++++++ diff --git a/lib/archive/tar/minitar.rb b/lib/archive/tar/minitar.rb index 5ad466d..21c5a07 100644 --- a/lib/archive/tar/minitar.rb +++ b/lib/archive/tar/minitar.rb @@ -975,6 +975,9 @@ module Archive::Tar::Minitar end inp.each do |entry| + if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/ + raise entry.full_name + " Error path contains .." + end if files.empty? or files.include?(entry.full_name) inp.extract_entry(dest, entry, &block) end ++++++ gem2rpm.yml ++++++ # --- # ## used by gem2rpm # :summary: this is a custom summary # ## used by gem2rpm # :description: |- # this is a custom description # # it can be multiline # ## used by gem2rpm :license: GPL-2.0+ or Ruby # ## used by gem2rpm and gem_packages # :version_suffix: -x_y # ## used by gem2rpm and gem_packages # :disable_docs: true # ## used by gem2rpm # :disable_automatic_rdoc_dep: true # ## used by gem2rpm # :preamble: |- # BuildRequires: foobar # Requires: foobar # ## used by gem2rpm :patches: bsc_1021740.patch: -p1 # bar.patch: # ## used by gem2rpm # :sources: # - foo.desktop # - bar.desktop # :gem_install_args: '....' # ## used by gem2rpm # :pre_install: |- # %if 0%{?use_system_libev} # export USE_VENDORED_LIBEV="no" # %endif # ## used by gem2rpm # :post_install: |- # # delete custom files here or do other fancy stuff # install -D -m 0644 %{S:1} %{buildroot}%{_bindir}/gem2rpm-opensuse # ## used by gem2rpm # :testsuite_command: |- # (pushd %{buildroot}%{gem_base}/gems/%{mod_full_name} && rake test) # ## used by gem2rpm # :filelist: |- # /usr/bin/gem2rpm-opensuse # ## used by gem2rpm # :scripts: # :post: |- # /bin/echo foo # ## used by gem_packages # :main: # :preamble: |- # Requires: util-linux # Recommends: pwgen # :filelist: |- # /usr/bin/gem2rpm-opensuse # ## used by gem_packages # :custom: # apache: # :preamble: |- # Requires: ..... # :filelist: |- # /etc/apache2/conf.d/passenger.conf # :summary: Custom summary is optional # :description: |- # Custom description is optional # # bar # :post: |- # /bin/echo foo #