Hello community,
here is the log from the commit of package rubygem-minitar for openSUSE:Factory
checked in at 2017-02-02 15:43:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-minitar (Old)
and /work/SRC/openSUSE:Factory/.rubygem-minitar.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-minitar"
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-minitar/rubygem-minitar.changes
2016-09-23 11:34:21.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-minitar.new/rubygem-minitar.changes
2017-02-03 20:00:32.884866898 +0100
@@ -1,0 +2,7 @@
+Fri Jan 27 17:40:36 UTC 2017 - jmassaguer...@suse.com
+
+- fix CVE-2016-10173 (bsc#1021740): rubygem-minitar,
+ rubygem-archive-tar-minitar: directory traversal vulnerability
+ bsc_1021740.patch: contains the fix
+
+-------------------------------------------------------------------
New:
----
bsc_1021740.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-minitar.spec ++++++
--- /var/tmp/diff_new_pack.IBYOkX/_old 2017-02-03 20:00:33.284810605 +0100
+++ /var/tmp/diff_new_pack.IBYOkX/_new 2017-02-03 20:00:33.288810043 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-minitar
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,14 +29,17 @@
%define mod_name minitar
%define mod_full_name %{mod_name}-%{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: ruby-macros >= 5
BuildRequires: %{ruby >= 1.8.2}
BuildRequires: %{rubygem gem2rpm}
BuildRequires: %{rubygem rdoc > 3.10}
+BuildRequires: ruby-macros >= 5
BuildRequires: update-alternatives
Url: http://www.github.com/atoulme/minitar
Source: http://rubygems.org/gems/%{mod_full_name}.gem
Source1: gem2rpm.yml
+# MANUAL
+Patch0: bsc_1021740.patch
+# /MANUAL
Summary: Provides POSIX tarchive management from Ruby programs
License: Ruby
Group: Development/Languages/Ruby
@@ -51,6 +54,10 @@
http://www.github.com/atoulme/minitar.
%prep
+%gem_unpack
+%patch0 -p1
+find -type f -print0 | xargs -0 touch -r %{S:0}
+%gem_build
%build
++++++ bsc_1021740.patch ++++++
diff --git a/lib/archive/tar/minitar.rb b/lib/archive/tar/minitar.rb
index 5ad466d..21c5a07 100644
--- a/lib/archive/tar/minitar.rb
+++ b/lib/archive/tar/minitar.rb
@@ -975,6 +975,9 @@ module Archive::Tar::Minitar
end
inp.each do |entry|
+ if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
+ raise entry.full_name + " Error path contains .."
+ end
if files.empty? or files.include?(entry.full_name)
inp.extract_entry(dest, entry, &block)
end
++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.IBYOkX/_old 2017-02-03 20:00:33.332803850 +0100
+++ /var/tmp/diff_new_pack.IBYOkX/_new 2017-02-03 20:00:33.336803287 +0100
@@ -1,2 +1,4 @@
---
:license: 'Ruby'
+:patches:
+ bsc_1021740.patch: -p1
