Debian Bug report logs -
#902720
CVE-2018-1000544
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#902720; Package ruby-zip.
(Fri, 29 Jun 2018 21:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 29 Jun 2018 21:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ruby-zip
Severity: grave
Tags: security
This was assigned CVE-2018-1000544:
https://github.com/rubyzip/rubyzip/issues/369
Cheers,
Moritz
Marked as found in versions ruby-zip/1.2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 18:09:03 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 18:09:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#902720; Package ruby-zip.
(Wed, 15 Aug 2018 10:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 15 Aug 2018 10:36:03 GMT) (full text, mbox, link).
Message #16 received at 902720@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 pending
I have uploaded a security update to address CVE-2018-1000544. Please
find attached the debdiff.
Markus
[ruby-zip.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) pending.
Request was from Markus Koschany <apo@debian.org>
to 902720-submit@bugs.debian.org.
(Wed, 15 Aug 2018 10:36:03 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Wed, 15 Aug 2018 10:57:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 15 Aug 2018 10:57:07 GMT) (full text, mbox, link).
Message #23 received at 902720-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-zip
Source-Version: 1.2.1-1.1
We believe that the bug you reported is fixed in the latest version of
ruby-zip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated ruby-zip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 13 Aug 2018 13:57:54 +0200
Source: ruby-zip
Binary: ruby-zip
Architecture: source
Version: 1.2.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
ruby-zip - Ruby module for reading and writing zip files
Closes: 902720
Changes:
ruby-zip (1.2.1-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2018-1000544:
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory
Traversal vulnerability that can be exploited to write arbitrary files to
the filesystem. (Closes: #902720)
* Drop CVE-2017-5946.patch because this one was already fixed in version
1.2.1.
Checksums-Sha1:
6d106d510e01dd99385c7acb5e9cdc7c7456f7a8 2200 ruby-zip_1.2.1-1.1.dsc
f1ef96cdbc791de1e1a129e26ba08ebadd2e5c6a 6276 ruby-zip_1.2.1-1.1.debian.tar.xz
fd24066e4f8f026a3690517764031ee1a6e75478 6810 ruby-zip_1.2.1-1.1_amd64.buildinfo
Checksums-Sha256:
37af4d955634a03999a4f2af7713e6c69f70b0707fc3f802c8adf9123a2cfaa2 2200 ruby-zip_1.2.1-1.1.dsc
52527d49596965fd03d4d0a84b8ef330e4d7475c901504f2dd30f109818df880 6276 ruby-zip_1.2.1-1.1.debian.tar.xz
f430da61c2d0f3ab28a07709deeb1f16d4f6e0ebf341a50165532797497e62aa 6810 ruby-zip_1.2.1-1.1_amd64.buildinfo
Files:
d3e080515f5b5a5916c1449d6d03429d 2200 ruby optional ruby-zip_1.2.1-1.1.dsc
8a9c8bc20f0ab0a344c70bf6a9241fa2 6276 ruby optional ruby-zip_1.2.1-1.1.debian.tar.xz
93b1d95dbf80ae3cffba58f97963ae44 6810 ruby optional ruby-zip_1.2.1-1.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlt0ASNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkHtMP/08fqyHHqf7nKneCxjqe+bbkAbg/w4jUbspT
44rwBf0yyLlKOWp9/D//39xr3A+7E2zqBiZCPpTEviE/y5/mEUjc2z0m9Qhn+t8V
xLJL2IClKFuMyYqTQ7A0q1oqSzut380csHrgrqcFDjZyVdTxB9CQ/TjxdBdRKvyT
vLJDXCvGfw93WXEtgLWOnZmsD1yCWdfQA9OjhGikgtwkZRg1ZBOkwRz3pmhoFP6l
nHmItefywUsuaN9+lxxFSwFOG/HtrVOYdKolb0b1sbwWQwMytW/JEri8XoB/BNUV
NQ+HnKj/X7vql38HfWT4eBhJ9eOQiIp87c82iEV54ANRkYZPjX7bz+Cg1wd//AXl
FFpqp9GpqrBPxPFIGaxgcmM0hTR2Dt9oaa/0e6M7WRAF8xaInxTrNpBxi6rDv1F9
zRjyomOkvmmoVBvh+wUh4GFbH8nI0BjeyID2e5uH0dXE7PEII3l3/cqzxM3RuBZE
QPkvm/UxkxiV9ZnpHdLIo5Qawf4Rw3d02gf9SMGL9Vt+rEwjTAWAHVSl3AjmkLqt
dcdKdvYTQeVieE6cMo/vPFhp2d0+ITDTuQzKkwllRXtLimJ9TQKdqsygVB86QA9e
V7t8DIODzayk2oTRQ+nxI0K+DtE//yNsyKZFl7XPqv79yeBgH8cP0GAkEqMJvF6t
cyK7gVIy
=HeAT
-----END PGP SIGNATURE-----
Marked as found in versions ruby-zip/1.1.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 15 Aug 2018 11:15:04 GMT) (full text, mbox, link).
No longer marked as fixed in versions ruby-zip/1.2.1-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Dec 2018 08:03:06 GMT) (full text, mbox, link).
Marked as fixed in versions ruby-zip/1.2.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Dec 2018 08:03:07 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Dec 2018 08:33:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:30:51 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon