oss-sec mailing list archives
CVE request: rubygem minitar: directory traversal vulnerability
From: Max Veytsman <max () appcanary com>
Date: Tue, 24 Jan 2017 12:15:48 -0500
Rubygem minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Issue: https://github.com/halostatue/minitar/issues/16 Upstream patch: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 The same issue exists in rubygem archive-tar-minitar I believe they're based on the same codebase, and minitar is the officially supported fork, so I'm not sure if this warrants two CVEs or just one. Thanks, -- Max Veytsman Co-founder appcanary.com @mveytsman <https://twitter.com/mveytsman>
Current thread:
- CVE request: rubygem minitar: directory traversal vulnerability Max Veytsman (Jan 24)
- Re: CVE request: rubygem minitar: directory traversal vulnerability cve-assign (Jan 29)