Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jan 2017 12:15:48 -0500
From: Max Veytsman <max@...canary.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: rubygem minitar: directory traversal vulnerability

Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

Issue:
https://github.com/halostatue/minitar/issues/16

Upstream patch:
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

The same issue exists in rubygem archive-tar-minitar

I believe they're based on the same codebase, and minitar is the officially
supported fork, so I'm not sure if this warrants two CVEs or just one.

Thanks,
--
Max Veytsman
Co-founder appcanary.com
@mveytsman <https://twitter.com/mveytsman>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ