oss-sec mailing list archives
Re: CVE request: rubygem minitar: directory traversal vulnerability
From: <cve-assign () mitre org>
Date: Sun, 29 Jan 2017 07:07:04 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Rubygem minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. https://github.com/halostatue/minitar/issues/16 https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 https://bugzilla.opensuse.org/show_bug.cgi?id=1021740 The same issue exists in rubygem archive-tar-minitar I believe they're based on the same codebase, and minitar is the officially supported fork, so I'm not sure if this warrants two CVEs or just one.
Use CVE-2016-10173 for both minitar and archive-tar-minitar. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYjdlmAAoJEHb/MwWLVhi2CSsP/izDwh+T5DR5ms7134ihHYzW bMGXiHY273TjJmBdg3EjXbmuhydzVXIe6rOKc+kZZ8CmMW6Xm8M8cQ0aV19h5pnm jC8jdLkD3zhN4Gb5kTFVHzGxdDP0jTiWamsrt1r9hKTpnP4hLia5oeB2EZhqPp0W LBkeVSwAzNhK1WjRZ0hKOKA5t55djzNO6YzwPx9541a2Ec1fr7wYCbb5VPrG0JIj 8K8xjE7sjuxh+agknZPHgXLhj/YDk07sEKmMnLhnJy4IyyPWvgYDa46C11CWJc/T DfNWIJx6OMDkRDnxduNl/WQ3g1s00hcR6Wn1TEldELz9YdpkNG7HKpz1+cC1QtYX ICjtcm2xaJ3KkMW0SyalZ8gRzGhjfti7Gvf3JEopIDYJtBy3Kkf9ozDLpwPbo49l tLCZSuTVkRgdlAlFAaJLn56qx9eHv6TpZt+QgVVVjEWbGy3E8i4DZhcTtjZTQA7X m5Ud76iDK5b6qxZjNhZEf5pqdN+d8nXAnnn1vdb8GVJmIJ4uJK/hMksL7kvWp96U pQmwWM20N1i3uWcMJb14asAJXJWrwxwWavFgnLUbVOG1pipNwBxsA9VqrwgMLSQb OXFoBzNSJEmRj+zt1H8B9Dq6GHT0ZvuxGlkGlff3rENxuKYLpBO7bSOeCmOhNY0j Q1MA3pDnDnn4wLy7m58b =IIhb -----END PGP SIGNATURE-----
Current thread:
- CVE request: rubygem minitar: directory traversal vulnerability Max Veytsman (Jan 24)
- Re: CVE request: rubygem minitar: directory traversal vulnerability cve-assign (Jan 29)