Control: tags 856269 + pending
Dear maintainer,
I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru ruby-zip-1.2.0/debian/changelog ruby-zip-1.2.0/debian/changelog
--- ruby-zip-1.2.0/debian/changelog 2016-09-10 08:12:53.0 +0200
+++ ruby-zip-1.2.0/debian/changelog 2017-02-27 17:38:59.0 +0100
@@ -1,3 +1,11 @@
+ruby-zip (1.2.0-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2017-5946: directory traversal vulnerability in Zip::File component
+(Closes: #856269)
+
+ -- Salvatore Bonaccorso Mon, 27 Feb 2017 17:38:59 +0100
+
ruby-zip (1.2.0-1) unstable; urgency=medium
* Team upload.
diff -Nru ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch
--- ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch 1970-01-01 01:00:00.0 +0100
+++ ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch 2017-02-27 17:38:59.0 +0100
@@ -0,0 +1,28 @@
+From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
+From: Alexander Simonov
+Date: Wed, 8 Feb 2017 13:43:14 +0200
+Subject: [PATCH] Fix #315 and resolve relative path vulnerability
+
+---
+ lib/zip/entry.rb | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
+index 7884458..0aba0eb 100644
+--- a/lib/zip/entry.rb
b/lib/zip/entry.rb
+@@ -150,6 +150,11 @@ module Zip
+ def extract(dest_path = @name, )
+ block ||= proc { ::Zip.on_exists_proc }
+
++ if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++puts "WARNING: skipped \"../\" path component(s) in #{@name}"
++return self
++ end
++
+ if directory? || file? || symlink?
+ __send__("create_#{@ftype}", dest_path, )
+ else
+--
+2.11.0
+
diff -Nru ruby-zip-1.2.0/debian/patches/series ruby-zip-1.2.0/debian/patches/series
--- ruby-zip-1.2.0/debian/patches/series 2016-09-10 08:12:53.0 +0200
+++ ruby-zip-1.2.0/debian/patches/series 2017-02-27 17:38:59.0 +0100
@@ -1,3 +1,4 @@
require-forwardable-fix-test.patch
ignore-simplecov.diff
fix-random-tests-failures
+CVE-2017-5946.patch
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers