Hello community,
here is the log from the commit of package rubygem-archive-tar-minitar for
openSUSE:Factory checked in at 2017-02-02 15:43:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-archive-tar-minitar (Old)
and /work/SRC/openSUSE:Factory/.rubygem-archive-tar-minitar.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-archive-tar-minitar"
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-archive-tar-minitar/rubygem-archive-tar-minitar.changes
2014-10-15 08:52:26.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-archive-tar-minitar.new/rubygem-archive-tar-minitar.changes
2017-02-03 20:00:01.921225125 +0100
@@ -1,0 +2,7 @@
+Fri Jan 27 17:42:20 UTC 2017 - [email protected]
+
+- fix CVE-2016-10173 (bsc#1021740): rubygem-minitar,
+ rubygem-archive-tar-minitar: directory traversal vulnerability
+ bsc_1021740.patch: contains the fix
+
+-------------------------------------------------------------------
New:
----
bsc_1021740.patch
gem2rpm.yml
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-archive-tar-minitar.spec ++++++
--- /var/tmp/diff_new_pack.0kSc1e/_old 2017-02-03 20:00:02.761106908 +0100
+++ /var/tmp/diff_new_pack.0kSc1e/_new 2017-02-03 20:00:02.841095650 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-archive-tar-minitar
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,6 +16,13 @@
#
+#
+# This file was generated with a gem2rpm.yml and not just plain gem2rpm.
+# All sections marked as MANUAL, license headers, summaries and descriptions
+# can be maintained in that file. Please consult this file before editing any
+# of those fields
+#
+
Name: rubygem-archive-tar-minitar
Version: 0.5.2
Release: 0
@@ -29,6 +36,10 @@
BuildRequires: update-alternatives
Url: http://rubyforge.org/projects/ruwiki/
Source: http://rubygems.org/gems/%{mod_full_name}.gem
+Source1: gem2rpm.yml
+# MANUAL
+Patch0: bsc_1021740.patch
+# /MANUAL
Summary: Provides POSIX tarchive management from Ruby programs
License: GPL-2.0+ or Ruby
Group: Development/Languages/Ruby
@@ -41,6 +52,10 @@
rpa-base, but has been reorganised to promote reuse in other projects.
%prep
+%gem_unpack
+%patch0 -p1
+find -type f -print0 | xargs -0 touch -r %{S:0}
+%gem_build
%build
++++++ bsc_1021740.patch ++++++
diff --git a/lib/archive/tar/minitar.rb b/lib/archive/tar/minitar.rb
index 5ad466d..21c5a07 100644
--- a/lib/archive/tar/minitar.rb
+++ b/lib/archive/tar/minitar.rb
@@ -975,6 +975,9 @@ module Archive::Tar::Minitar
end
inp.each do |entry|
+ if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
+ raise entry.full_name + " Error path contains .."
+ end
if files.empty? or files.include?(entry.full_name)
inp.extract_entry(dest, entry, &block)
end
++++++ gem2rpm.yml ++++++
# ---
# ## used by gem2rpm
# :summary: this is a custom summary
# ## used by gem2rpm
# :description: |-
# this is a custom description
#
# it can be multiline
# ## used by gem2rpm
:license: GPL-2.0+ or Ruby
# ## used by gem2rpm and gem_packages
# :version_suffix: -x_y
# ## used by gem2rpm and gem_packages
# :disable_docs: true
# ## used by gem2rpm
# :disable_automatic_rdoc_dep: true
# ## used by gem2rpm
# :preamble: |-
# BuildRequires: foobar
# Requires: foobar
# ## used by gem2rpm
:patches:
bsc_1021740.patch: -p1
# bar.patch:
# ## used by gem2rpm
# :sources:
# - foo.desktop
# - bar.desktop
# :gem_install_args: '....'
# ## used by gem2rpm
# :pre_install: |-
# %if 0%{?use_system_libev}
# export USE_VENDORED_LIBEV="no"
# %endif
# ## used by gem2rpm
# :post_install: |-
# # delete custom files here or do other fancy stuff
# install -D -m 0644 %{S:1} %{buildroot}%{_bindir}/gem2rpm-opensuse
# ## used by gem2rpm
# :testsuite_command: |-
# (pushd %{buildroot}%{gem_base}/gems/%{mod_full_name} && rake test)
# ## used by gem2rpm
# :filelist: |-
# /usr/bin/gem2rpm-opensuse
# ## used by gem2rpm
# :scripts:
# :post: |-
# /bin/echo foo
# ## used by gem_packages
# :main:
# :preamble: |-
# Requires: util-linux
# Recommends: pwgen
# :filelist: |-
# /usr/bin/gem2rpm-opensuse
# ## used by gem_packages
# :custom:
# apache:
# :preamble: |-
# Requires: .....
# :filelist: |-
# /etc/apache2/conf.d/passenger.conf
# :summary: Custom summary is optional
# :description: |-
# Custom description is optional
#
# bar
# :post: |-
# /bin/echo foo
#
