oss-sec mailing list archives

CVE request: rubygem minitar: directory traversal vulnerability

From: Max Veytsman <max () appcanary com>
Date: Tue, 24 Jan 2017 12:15:48 -0500

Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

Issue:
https://github.com/halostatue/minitar/issues/16

Upstream patch:
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

The same issue exists in rubygem archive-tar-minitar

I believe they're based on the same codebase, and minitar is the officially
supported fork, so I'm not sure if this warrants two CVEs or just one.

Thanks,
--
Max Veytsman
Co-founder appcanary.com
@mveytsman <https://twitter.com/mveytsman>

Current thread:

CVE request: rubygem minitar: directory traversal vulnerability Max Veytsman (Jan 24)
- Re: CVE request: rubygem minitar: directory traversal vulnerability cve-assign (Jan 29)