Date: Tue, 24 Jan 2017 12:15:48 -0500 From: Max Veytsman <max@...canary.com> To: oss-security@...ts.openwall.com Subject: CVE request: rubygem minitar: directory traversal vulnerability Rubygem minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Issue: https://github.com/halostatue/minitar/issues/16 Upstream patch: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 The same issue exists in rubygem archive-tar-minitar I believe they're based on the same codebase, and minitar is the officially supported fork, so I'm not sure if this warrants two CVEs or just one. Thanks, -- Max Veytsman Co-founder appcanary.com @mveytsman <https://twitter.com/mveytsman>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.