Hello community, here is the log from the commit of package rubygem-minitar for openSUSE:Factory checked in at 2017-02-02 15:43:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-minitar (Old) and /work/SRC/openSUSE:Factory/.rubygem-minitar.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-minitar" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-minitar/rubygem-minitar.changes 2016-09-23 11:34:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-minitar.new/rubygem-minitar.changes 2017-02-03 20:00:32.884866898 +0100 @@ -1,0 +2,7 @@ +Fri Jan 27 17:40:36 UTC 2017 - jmassaguer...@suse.com + +- fix CVE-2016-10173 (bsc#1021740): rubygem-minitar, + rubygem-archive-tar-minitar: directory traversal vulnerability + bsc_1021740.patch: contains the fix + +------------------------------------------------------------------- New: ---- bsc_1021740.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-minitar.spec ++++++ --- /var/tmp/diff_new_pack.IBYOkX/_old 2017-02-03 20:00:33.284810605 +0100 +++ /var/tmp/diff_new_pack.IBYOkX/_new 2017-02-03 20:00:33.288810043 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-minitar # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,14 +29,17 @@ %define mod_name minitar %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: ruby-macros >= 5 BuildRequires: %{ruby >= 1.8.2} BuildRequires: %{rubygem gem2rpm} BuildRequires: %{rubygem rdoc > 3.10} +BuildRequires: ruby-macros >= 5 BuildRequires: update-alternatives Url: http://www.github.com/atoulme/minitar Source: http://rubygems.org/gems/%{mod_full_name}.gem Source1: gem2rpm.yml +# MANUAL +Patch0: bsc_1021740.patch +# /MANUAL Summary: Provides POSIX tarchive management from Ruby programs License: Ruby Group: Development/Languages/Ruby @@ -51,6 +54,10 @@ http://www.github.com/atoulme/minitar. %prep +%gem_unpack +%patch0 -p1 +find -type f -print0 | xargs -0 touch -r %{S:0} +%gem_build %build ++++++ bsc_1021740.patch ++++++ diff --git a/lib/archive/tar/minitar.rb b/lib/archive/tar/minitar.rb index 5ad466d..21c5a07 100644 --- a/lib/archive/tar/minitar.rb +++ b/lib/archive/tar/minitar.rb @@ -975,6 +975,9 @@ module Archive::Tar::Minitar end inp.each do |entry| + if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/ + raise entry.full_name + " Error path contains .." + end if files.empty? or files.include?(entry.full_name) inp.extract_entry(dest, entry, &block) end ++++++ gem2rpm.yml ++++++ --- /var/tmp/diff_new_pack.IBYOkX/_old 2017-02-03 20:00:33.332803850 +0100 +++ /var/tmp/diff_new_pack.IBYOkX/_new 2017-02-03 20:00:33.336803287 +0100 @@ -1,2 +1,4 @@ --- :license: 'Ruby' +:patches: + bsc_1021740.patch: -p1