ruby-zip: CVE-2019-16892

Related Vulnerabilities: CVE-2019-16892  

Debian Bug report logs - #941222
ruby-zip: CVE-2019-16892

version graph

Reported by: Salvatore Bonaccorso <>

Date: Thu, 26 Sep 2019 17:21:02 UTC

Severity: important

Tags: security, upstream

Found in version ruby-zip/1.2.2-1

Forwarded to

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,,, Debian Ruby Extras Maintainers <>:
Bug#941222; Package src:ruby-zip. (Thu, 26 Sep 2019 17:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <>:
New Bug report received and forwarded. Copy sent to,,, Debian Ruby Extras Maintainers <>. (Thu, 26 Sep 2019 17:21:04 GMT) (full text, mbox, link).

Message #5 received at (full text, mbox, reply):

From: Salvatore Bonaccorso <>
To: Debian Bug Tracking System <>
Subject: ruby-zip: CVE-2019-16892
Date: Thu, 26 Sep 2019 19:17:16 +0200
Source: ruby-zip
Version: 1.2.2-1
Severity: important
Tags: security upstream


The following vulnerability was published for ruby-zip.

| In Rubyzip before 1.3.0, a crafted ZIP file can bypass application
| checks on ZIP entry sizes because data about the uncompressed size can
| be spoofed. This allows attackers to cause a denial of service (disk
| consumption).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:


Please adjust the affected versions in the BTS as needed.


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Sep 27 16:46:39 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.