Date: Tue, 24 Jan 2017 12:15:48 -0500 From: Max Veytsman <max@...canary.com> To: oss-security@...ts.openwall.com Subject: CVE request: rubygem minitar: directory traversal vulnerability Rubygem minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Issue: https://github.com/halostatue/minitar/issues/16 Upstream patch: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 The same issue exists in rubygem archive-tar-minitar I believe they're based on the same codebase, and minitar is the officially supported fork, so I'm not sure if this warrants two CVEs or just one. Thanks, -- Max Veytsman Co-founder appcanary.com @mveytsman <https://twitter.com/mveytsman>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ