Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ruby-minitar: CVE-2016-10173: directory traversal vulnerability

Related Vulnerabilities: CVE-2016-10173  

Source

Debian Bug report logs - #853075
ruby-minitar: CVE-2016-10173: directory traversal vulnerability

version graph

Package: src:ruby-minitar; Maintainer for src:ruby-minitar is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 29 Jan 2017 15:33:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version ruby-minitar/0.5.4-3

Fixed in version ruby-minitar/0.5.4-3.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/halostatue/minitar/issues/16

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#853075; Package src:ruby-minitar. (Sun, 29 Jan 2017 15:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 29 Jan 2017 15:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-minitar: CVE-2016-10173: directory traversal vulnerability
Date: Sun, 29 Jan 2017 16:29:45 +0100
Source: ruby-minitar
Version: 0.5.4-3
Severity: grave
Tags: security upstream patch
Forwarded: https://github.com/halostatue/minitar/issues/16

Hi,

the following vulnerability was published for ruby-minitar.

CVE-2016-10173[0]:
directory traversal vulnerability

There is an upstream bug for it at [1], which as well references a
minimal patch from SuSE for the issue at [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10173
[1] https://github.com/halostatue/minitar/issues/16
[2] https://bugzilla.opensuse.org/show_bug.cgi?id=1021740#c5

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#853075; Package src:ruby-minitar. (Mon, 30 Jan 2017 06:12:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 30 Jan 2017 06:12:02 GMT) (full text, mbox, link).

Message #10 received at 853075@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 853075@bugs.debian.org
Cc: Markus Frosch <lazyfrosch@debian.org>
Subject: ruby-minitar: diff for NMU version 0.5.4-3.1
Date: Mon, 30 Jan 2017 07:08:23 +0100
[Message part 1 (text/plain, inline)]
Control: tags 853075 + pending

Dear Markus,

I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[ruby-minitar-0.5.4-3.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 853075-submit@bugs.debian.org. (Mon, 30 Jan 2017 06:12:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#853075; Package src:ruby-minitar. (Mon, 30 Jan 2017 08:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Frosch <lazyfrosch@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 30 Jan 2017 08:39:03 GMT) (full text, mbox, link).

Message #17 received at 853075@bugs.debian.org (full text, mbox, reply):

From: Markus Frosch <lazyfrosch@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 853075@bugs.debian.org
Subject: Re: ruby-minitar: diff for NMU version 0.5.4-3.1
Date: Mon, 30 Jan 2017 09:28:35 +0100
[Message part 1 (text/plain, inline)]
On 30.01.2017 07:08, Salvatore Bonaccorso wrote:
> I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

Thanks Salvatore, I'm perfectly fine with that.

Should I take care about the migration to stretch? Or is there some new auto-security mechanism? :)

Cheers
Markus Frosch
-- 
markus@lazyfrosch.de / lazyfrosch@debian.org
http://www.lazyfrosch.de


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#853075; Package src:ruby-minitar. (Mon, 30 Jan 2017 08:45:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 30 Jan 2017 08:45:08 GMT) (full text, mbox, link).

Message #22 received at 853075@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Markus Frosch <lazyfrosch@debian.org>
Cc: 853075@bugs.debian.org
Subject: Re: ruby-minitar: diff for NMU version 0.5.4-3.1
Date: Mon, 30 Jan 2017 09:42:19 +0100
Hi Markus,

On Mon, Jan 30, 2017 at 09:28:35AM +0100, Markus Frosch wrote:
> On 30.01.2017 07:08, Salvatore Bonaccorso wrote:
> > I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> Thanks Salvatore, I'm perfectly fine with that.

Ok, if you want I can as well reshedule to get the fix faster.

> Should I take care about the migration to stretch? Or is there some
> new auto-security mechanism? :)

There is no aut-security mechanism no ;-). So we need to ask a unblock
request. If you want to take care of it, it is appreciated. Otherwise
I put it on my TODO list.

Regards,
Salvatore

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 30 Jan 2017 08:51:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 30 Jan 2017 08:51:03 GMT) (full text, mbox, link).

Message #27 received at 853075-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 853075-close@bugs.debian.org
Subject: Bug#853075: fixed in ruby-minitar 0.5.4-3.1
Date: Mon, 30 Jan 2017 08:48:45 +0000
Source: ruby-minitar
Source-Version: 0.5.4-3.1

We believe that the bug you reported is fixed in the latest version of
ruby-minitar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 853075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ruby-minitar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Jan 2017 07:00:07 +0100
Source: ruby-minitar
Binary: ruby-minitar ruby-archive-tar-minitar
Architecture: all source
Version: 0.5.4-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 853075
Description: 
 ruby-archive-tar-minitar - Provides POSIX tarchive management for Ruby - transitional packag
 ruby-minitar - Provides POSIX tarchive management for Ruby
Changes:
 ruby-minitar (0.5.4-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2016-10173: directory traversal vulnerability (Closes: #853075)
Checksums-Sha1: 
 51b0649333449f6ab5b04e0b5d0ac473834a8105 4428 ruby-archive-tar-minitar_0.5.4-3.1_all.deb
 52c859db24f973f47e1d166ac1c0c482f8fa5d15 17188 ruby-minitar_0.5.4-3.1_all.deb
 722a5d94349c085d8d85cb0e0010c77be76080c7 2296 ruby-minitar_0.5.4-3.1.dsc
 bdb98db36eb2ba56a02b2efb47e898a6da3b17a2 3692 ruby-minitar_0.5.4-3.1.debian.tar.xz
Checksums-Sha256: 
 2a175dcd081c250af275a1428966c91e2bc5ac869a7ddd671a0b5bc2927cb56d 4428 ruby-archive-tar-minitar_0.5.4-3.1_all.deb
 e1c84f0624f1a68536d1953081641af876df32f86ce99172a0dff7b73869d52b 17188 ruby-minitar_0.5.4-3.1_all.deb
 992b50c9d70077af7aa0211c4600fc3d71abf5a7a1fa7b6223cdbeb23ba2c63f 2296 ruby-minitar_0.5.4-3.1.dsc
 62f4e761ab3947cac6af55edd9053da5b069afb40a19f983f24440f2ad6f59ac 3692 ruby-minitar_0.5.4-3.1.debian.tar.xz
Files: 
 97019f4958404aa690c36c9865ae9da8 4428 oldlibs extra ruby-archive-tar-minitar_0.5.4-3.1_all.deb
 f77894d90df95ea41254f014eda36767 17188 ruby optional ruby-minitar_0.5.4-3.1_all.deb
 d50bc53d9f9844a28d306905f50f62d1 2296 ruby optional ruby-minitar_0.5.4-3.1.dsc
 9277f0c58bda61740971ed663ccb27f9 3692 ruby optional ruby-minitar_0.5.4-3.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAliO1/1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E2s4P/1fpyGTsshkGhtPI4YaZZ0TzaJni0/f2
hcO841UtlPaxR2PceZKeZdtfzgf6Thf4F/E5XavM0CyOL2SP+HmaHI//Bjw0IhSN
Y+jI1F/v2Yb0Y5InwVDY2d0hMmzNFXlbqCGovcYZx7XjI7Eml5FQe1Ya8lUPylXH
9h7flTtXLEl1JV8YCajhqxtLquWMs3tqjQzLovkl6eN5Cdpn+f1N2zUqgeZrYzHk
sItw9Ev282g2UjCwsF9CDNFqzWtQyjAlyYTCj/Z94w/PKD4Mxpt4DlumAtcMriBE
pjb1l+qBZki29jP3S1U+fSVdkioT4mI1bifaPKQ7Ft9yJqy1eB/JzRx+ui19JGa8
Fhvnu46ODvJ5BuDAKcYJWp5lj41HV69gsExZECn/i6XJ309PnXjtif0VPYbubdTg
HHu+eKYw14t3n4OY28QOZI/Ud9RXWYNs3f9e1vyCD0ilIhuGXnecwgZfj/VD973E
85aE1zb+qmf1aF6nYVwG6B7wmvvjlCtRXxgMVZVat+QQaLvDA2sf146TIDsXKgOP
La1rxvtptMZGDOxI56CA27go8NgthQzeQ2HuXQ+NrUnDpImfV2RTawAylS3SUAYX
0WWXTI6hdnhRMilPU6X+9SPMiEiOhn4iA0QKzE3/mxFVuqBzvSkwzh0cGM4FXzir
SRUPan1eaiJ+
=bv2M
-----END PGP SIGNATURE-----

Bug 853075 cloned as bug 853249 Request was from Balint Reczey <balint@balintreczey.hu> to control@bugs.debian.org. (Mon, 30 Jan 2017 19:51:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#853075; Package src:ruby-minitar. (Tue, 31 Jan 2017 17:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 31 Jan 2017 17:45:03 GMT) (full text, mbox, link).

Message #34 received at 853075@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 853075@bugs.debian.org
Cc: Markus Frosch <lazyfrosch@debian.org>
Subject: Re: Bug#853075: ruby-minitar: diff for NMU version 0.5.4-3.1
Date: Tue, 31 Jan 2017 15:40:28 -0200
[Message part 1 (text/plain, inline)]
Hi,

On Mon, Jan 30, 2017 at 09:42:19AM +0100, Salvatore Bonaccorso wrote:
> Hi Markus,
> 
> On Mon, Jan 30, 2017 at 09:28:35AM +0100, Markus Frosch wrote:
> > On 30.01.2017 07:08, Salvatore Bonaccorso wrote:
> > > I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
> > > uploaded it to DELAYED/5. Please feel free to tell me if I
> > > should delay it longer.
> > 
> > Thanks Salvatore, I'm perfectly fine with that.

Thanks indeed. I have just imported the NMU in the git repository and
pushed to alioth

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 02 Mar 2017 07:33:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:35:04 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started