[DRE-maint] Bug#856269: ruby-zip: diff for NMU version 1.2.0-1.1

2017-02-28 Thread Salvatore Bonaccorso 
Hi Antonio!

On Tue, Feb 28, 2017 at 08:21:23AM -0300, Antonio Terceiro wrote:
> On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> > Control: tags 856269 + pending
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> thanks - I have just imported the diff to the git repository
> 
> are you also doing a stable update?

Yep sure, I can take care of it.

Regards,
Salvatore

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#856269: ruby-zip: diff for NMU version 1.2.0-1.1

2017-02-28 Thread Antonio Terceiro 
On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> Control: tags 856269 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

thanks - I have just imported the diff to the git repository

are you also doing a stable update?


signature.asc
Description: PGP signature
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#856269: ruby-zip: diff for NMU version 1.2.0-1.1

2017-02-27 Thread Salvatore Bonaccorso 
Control: tags 856269 + pending

Dear maintainer,

I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru ruby-zip-1.2.0/debian/changelog ruby-zip-1.2.0/debian/changelog
--- ruby-zip-1.2.0/debian/changelog	2016-09-10 08:12:53.0 +0200
+++ ruby-zip-1.2.0/debian/changelog	2017-02-27 17:38:59.0 +0100
@@ -1,3 +1,11 @@
+ruby-zip (1.2.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-5946: directory traversal vulnerability in Zip::File component
+(Closes: #856269)
+
+ -- Salvatore Bonaccorso   Mon, 27 Feb 2017 17:38:59 +0100
+
 ruby-zip (1.2.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch
--- ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch	1970-01-01 01:00:00.0 +0100
+++ ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch	2017-02-27 17:38:59.0 +0100
@@ -0,0 +1,28 @@
+From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
+From: Alexander Simonov 
+Date: Wed, 8 Feb 2017 13:43:14 +0200
+Subject: [PATCH] Fix #315 and resolve relative path vulnerability
+
+---
+ lib/zip/entry.rb | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
+index 7884458..0aba0eb 100644
+--- a/lib/zip/entry.rb
 b/lib/zip/entry.rb
+@@ -150,6 +150,11 @@ module Zip
+ def extract(dest_path = @name, )
+   block ||= proc { ::Zip.on_exists_proc }
+ 
++  if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++puts "WARNING: skipped \"../\" path component(s) in #{@name}"
++return self
++  end
++
+   if directory? || file? || symlink?
+ __send__("create_#{@ftype}", dest_path, )
+   else
+-- 
+2.11.0
+
diff -Nru ruby-zip-1.2.0/debian/patches/series ruby-zip-1.2.0/debian/patches/series
--- ruby-zip-1.2.0/debian/patches/series	2016-09-10 08:12:53.0 +0200
+++ ruby-zip-1.2.0/debian/patches/series	2017-02-27 17:38:59.0 +0100
@@ -1,3 +1,4 @@
 require-forwardable-fix-test.patch
 ignore-simplecov.diff
 fix-random-tests-failures
+CVE-2017-5946.patch
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers