This bug was fixed in the package libzip-ruby -
0.9.4-1+deb7u1build0.12.04.1
---------------
libzip-ruby (0.9.4-1+deb7u1build0.12.04.1) precise-security; urgency=medium
* fake sync from Debian (LP: #1669894)
libzip-ruby (0.9.4-1+deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2017-5946:
It was discovered that libzip-ruby, a Ruby module for reading and writing
zip files, is prone to a directory traversal vulnerability. An attacker can
take advantage of this flaw to overwrite arbitrary files during archive
extraction via a .. (dot dot) in an extracted filename.
-- Tyler Hicks <[email protected]> Mon, 13 Mar 2017 15:06:48 +0000
** Changed in: libzip-ruby (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1669894
Title:
Security - CVE-2017-5946
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip-ruby/+bug/1669894/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
