[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE request: rubygem minitar: directory traversal vulnerability
From: <cve-assign () mitre ! org>
Date: 2017-01-29 12:07:04
Message-ID: 2c120680243249b2a86b85883b8c4cb4 () imshyb01 ! MITRE ! ORG
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Rubygem minitar allows attackers to overwrite arbitrary files during
> archive extraction via a .. (dot dot) in an extracted filename.
>
> https://github.com/halostatue/minitar/issues/16
> https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4
> https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
>
> The same issue exists in rubygem archive-tar-minitar
>
> I believe they're based on the same codebase, and minitar is the officially
> supported fork, so I'm not sure if this warrants two CVEs or just one.
Use CVE-2016-10173 for both minitar and archive-tar-minitar.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYjdlmAAoJEHb/MwWLVhi2CSsP/izDwh+T5DR5ms7134ihHYzW
bMGXiHY273TjJmBdg3EjXbmuhydzVXIe6rOKc+kZZ8CmMW6Xm8M8cQ0aV19h5pnm
jC8jdLkD3zhN4Gb5kTFVHzGxdDP0jTiWamsrt1r9hKTpnP4hLia5oeB2EZhqPp0W
LBkeVSwAzNhK1WjRZ0hKOKA5t55djzNO6YzwPx9541a2Ec1fr7wYCbb5VPrG0JIj
8K8xjE7sjuxh+agknZPHgXLhj/YDk07sEKmMnLhnJy4IyyPWvgYDa46C11CWJc/T
DfNWIJx6OMDkRDnxduNl/WQ3g1s00hcR6Wn1TEldELz9YdpkNG7HKpz1+cC1QtYX
ICjtcm2xaJ3KkMW0SyalZ8gRzGhjfti7Gvf3JEopIDYJtBy3Kkf9ozDLpwPbo49l
tLCZSuTVkRgdlAlFAaJLn56qx9eHv6TpZt+QgVVVjEWbGy3E8i4DZhcTtjZTQA7X
m5Ud76iDK5b6qxZjNhZEf5pqdN+d8nXAnnn1vdb8GVJmIJ4uJK/hMksL7kvWp96U
pQmwWM20N1i3uWcMJb14asAJXJWrwxwWavFgnLUbVOG1pipNwBxsA9VqrwgMLSQb
OXFoBzNSJEmRj+zt1H8B9Dq6GHT0ZvuxGlkGlff3rENxuKYLpBO7bSOeCmOhNY0j
Q1MA3pDnDnn4wLy7m58b
=IIhb
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic