ruby-zip: CVE-2017-5946

Debian Bug report logs - #856269
ruby-zip: CVE-2017-5946

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby-zip: CVE-2017-5946

Date: Mon, 27 Feb 2017 11:07:56 +0100

Source: ruby-zip
Version: 1.1.6-1
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/rubyzip/rubyzip/issues/315

Hi,

the following vulnerability was published for ruby-zip.

CVE-2017-5946[0]:
| The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a
| directory traversal vulnerability. If a site allows uploading of .zip
| files, an attacker can upload a malicious file that uses "../" pathname
| substrings to write arbitrary files to the filesystem.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5946
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5946
[1] https://github.com/rubyzip/rubyzip/issues/315

Regards,
Salvatore

Message #10 received at 856269@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 856269@bugs.debian.org

Subject: ruby-zip: diff for NMU version 1.2.0-1.1

Date: Tue, 28 Feb 2017 08:08:21 +0100

[Message part 1 (text/plain, inline)]

Control: tags 856269 + pending

Dear maintainer,

I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[ruby-zip-1.2.0-1.1-nmu.diff (text/x-diff, attachment)]

Message #17 received at 856269@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 856269@bugs.debian.org

Subject: Re: Bug#856269: ruby-zip: diff for NMU version 1.2.0-1.1

Date: Tue, 28 Feb 2017 08:21:23 -0300

[Message part 1 (text/plain, inline)]

On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> Control: tags 856269 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

thanks - I have just imported the diff to the git repository

are you also doing a stable update?

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 856269@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Antonio Terceiro <terceiro@debian.org>

Cc: 856269@bugs.debian.org

Subject: Re: Bug#856269: ruby-zip: diff for NMU version 1.2.0-1.1

Date: Tue, 28 Feb 2017 14:00:40 +0100

Hi Antonio!

On Tue, Feb 28, 2017 at 08:21:23AM -0300, Antonio Terceiro wrote:
> On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> > Control: tags 856269 + pending
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> thanks - I have just imported the diff to the git repository
> 
> are you also doing a stable update?

Yep sure, I can take care of it.

Regards,
Salvatore

Message #27 received at 856269-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 856269-close@bugs.debian.org

Subject: Bug#856269: fixed in ruby-zip 1.2.0-1.1

Date: Tue, 28 Feb 2017 16:20:21 +0000

Source: ruby-zip
Source-Version: 1.2.0-1.1

We believe that the bug you reported is fixed in the latest version of
ruby-zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856269@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 27 Feb 2017 17:38:59 +0100
Source: ruby-zip
Binary: ruby-zip
Architecture: source
Version: 1.2.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 856269
Description: 
 ruby-zip   - Ruby module for reading and writing zip files
Changes:
 ruby-zip (1.2.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2017-5946: directory traversal vulnerability in Zip::File component
     (Closes: #856269)
Checksums-Sha1: 
 7180f1c4682d02a494fa574bf4aa23919b97e76f 2204 ruby-zip_1.2.0-1.1.dsc
 9151aee7ffaa08a67918f390ef097bd109b58007 5048 ruby-zip_1.2.0-1.1.debian.tar.xz
 fbcad998054295cd2220b1cf37e57fec66356eb6 5580 ruby-zip_1.2.0-1.1_source.buildinfo
Checksums-Sha256: 
 25597b7bda7896ea1b543ff7aabd99530dd0e72fe3e32fb62b324edecef4f8f5 2204 ruby-zip_1.2.0-1.1.dsc
 724f74dce824504d2e09118023a06d07ebfbf0483274690b00e86efa59523ee1 5048 ruby-zip_1.2.0-1.1.debian.tar.xz
 e244ef356af7cdd3c6cce84e3d42f8a88c068a8bf1bd75a267023270bf34abcb 5580 ruby-zip_1.2.0-1.1_source.buildinfo
Files: 
 de0b707efb688caa4df3c0c027d41fe2 2204 ruby optional ruby-zip_1.2.0-1.1.dsc
 2dded5db4939e6bbd8a7edff6427fd69 5048 ruby optional ruby-zip_1.2.0-1.1.debian.tar.xz
 6759c36222eb3ed963ff29d1771f15fe 5580 ruby optional ruby-zip_1.2.0-1.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAli1IndfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENNwP/jspttKNiT82KyH3b8wUMN5NnIbNWcuj
ogzrB6+ZEVw78en9UgL3dZuL4C8YI1PK1toNPc7wrHircqxJ4e33/MIcEEgUSuwY
B+itENS15XTSNsCfXbquEox4RHUXdhwLODLktrl7PPYFoJ4rH5yTy5AUqiZr+eUi
yj7s5NkuiI7VUaPo5HPAutKRRdqDZfaLuXYLIBGT+PyQAm40df0b6KOUBWtzIWG3
sCs821coZqddhOxlRTCI7vveKUQoGnBq0k1Cv4HoCAS2T/BEFvdOyrQMQuR6XAuy
K3OGu3mPEBegHnibEN7ff1swKsEqJgdllDgsVBH2Q73pCJN5HNvLwn/ZofMIJENy
F7k7gWN/UIFIvNx1uLhGyn+81fIfkLEBHRwqvduL4tHHnLt3ynFl6QUkRjS/FHqK
KNGd/8tHrWanE8MIyw0+uppvRdATefv8uqb6m9uTPNgVtAXqFM7jTH+Rld+pjPyU
zfqpkJsoc1xWPMI5wsaLKHPQVLAdjpNtDFYSJmCu2j8On93F37boxJK/fm+VoPus
KpVvp1DukvYAuBOzzrX0ux2QCyrbJE5NrXxiOWuq/6GA9tYmZVTX0M8vl9n2gzag
BgbAldubnF8N4Kq4c2eyeBDe2ltWB8J/9eL2911AGhCJWDq1knPAIR6U1FLXDDD1
nIuuDFwWwYcl
=ZDPi
-----END PGP SIGNATURE-----

Message #32 received at 856269@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Antonio Terceiro <terceiro@debian.org>, 856269@bugs.debian.org

Subject: Re: Bug#856269: ruby-zip: FTBFS on stable

Date: Wed, 1 Mar 2017 20:22:17 +0100

[Message part 1 (text/plain, inline)]

Hi Antonio,

On Tue, Feb 28, 2017 at 08:21:23AM -0300, Antonio Terceiro wrote:
> On Tue, Feb 28, 2017 at 08:08:21AM +0100, Salvatore Bonaccorso wrote:
> > Control: tags 856269 + pending
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> thanks - I have just imported the diff to the git repository
> 
> are you also doing a stable update?

Does the build failure as in the attached build log rings some bells
on your end?

Regards,
Salvatore

[ruby-zip_1.1.6-1+deb8u1_amd64.build.gz (application/gzip, attachment)]

Message #39 received at 856269-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 856269-close@bugs.debian.org

Subject: Bug#856269: fixed in ruby-zip 1.1.6-1+deb8u1

Date: Thu, 09 Mar 2017 23:20:45 +0000

Source: ruby-zip
Source-Version: 1.1.6-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
ruby-zip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856269@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Mar 2017 07:21:15 +0100
Source: ruby-zip
Binary: ruby-zip
Architecture: source
Version: 1.1.6-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 856269
Description: 
 ruby-zip   - Ruby module for reading and writing zip files
Changes:
 ruby-zip (1.1.6-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
 .
   [ Antonio Terceiro ]
   * debian/patches/ftbfs-jessie.patch: fix build failure on jessie
 .
   [ Salvatore Bonaccorso ]
   * CVE-2017-5946: directory traversal vulnerability in Zip::File component
     (Closes: #856269)
Checksums-Sha1: 
 d3b435b2b469b140d24924aeba87df6ca7809fbe 2274 ruby-zip_1.1.6-1+deb8u1.dsc
 80765008a82b53d9646eccbfe132999e638a3e67 69567 ruby-zip_1.1.6.orig.tar.gz
 800c84df0eb84f584d7bd74b4a8fd4346840dbc8 5264 ruby-zip_1.1.6-1+deb8u1.debian.tar.xz
Checksums-Sha256: 
 358a517987a91b1593fff024ec0487e8e5bf8e110904d9a4e5802996f69129c6 2274 ruby-zip_1.1.6-1+deb8u1.dsc
 dd4f98e0f73ddaa2b3de166c38a14fc8248512555c064ca61b1aa237a4831e5f 69567 ruby-zip_1.1.6.orig.tar.gz
 717349d6399f0df4964cd7b49021706b7770fee2681cf7f36eef759d5a244135 5264 ruby-zip_1.1.6-1+deb8u1.debian.tar.xz
Files: 
 0b8c929638d52cfcc95188e89315bf22 2274 ruby optional ruby-zip_1.1.6-1+deb8u1.dsc
 6b45c19edd41b70c0da03eb2a829df72 69567 ruby optional ruby-zip_1.1.6.orig.tar.gz
 f8d3625cc40146df1213337180b6796d 5264 ruby optional ruby-zip_1.1.6-1+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAli5C/9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EFagP/RkF/Iq6mVvNJ7H2qvZFH0Ij3w4mQfq2
virhGkERH9rheFz/jexoa2ucrMblzVmrxM/PPX38MDxhoT8U1QpGl+y90J5tXUqt
jrvjTjAQeTi8Mt34PQ1dbsYgDr1k1eOwXLVfqCS4VhxBtih0BMq16y/n0rxWfn7q
/REtgISKwjLDrWzoh8DpNRs9EQOqkfNjqyWJdrLUKtWGImeGaYyaM687JxiIU9wL
7eRG4Lz1UtC0FPmhOFoo6oFM9iDjHK3p8jRR9MIpCALa07VYC28ZfARTEBMAQzkR
Ff5kWhVYYloR71gRYjMty0S9Tybg5itQHYKrtWBFGe1sQ5enbmnJ6Uq9FvEVA1iW
cD2QuftrMfmUugOBcJNSFpgJytmEcmuGpFDkyGtLBWrQn4scgbP+4Vwb04sM6aUs
dNr459j9S62siDI5eDYs52X590aHCSpyUgzs98BNSeh8rZEvVjXX3R02GwBTtdkp
JbonQZXgaAt0a3gUPCdcy5aHpd/mmCN4t8Pn0D1KQ3MhwrOrcVQ/LxFMl98nw/jA
mEMZcxl4/nUnBnQ5pkBt3x7pimJxoMqOvT9byJHI4Wv5Y1PF67wfHwB1gBn2Ksv6
3NXGWI94GSx/LlUiAZYAbped9KGNnycRKlFL3BDexqGWSZ4LoyBP0ottfHDy0p1D
OTxXqA31csBY
=JSjQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.