[DRE-maint] Bug#902720: CVE-2018-1000544

Wed Aug 15 11:33:30 BST 2018

Control: tags -1 pending

I have uploaded a security update to address CVE-2018-1000544. Please
find attached the debdiff.

Markus
-------------- next part --------------
diff -Nru ruby-zip-1.2.1/debian/changelog ruby-zip-1.2.1/debian/changelog

--- ruby-zip-1.2.1/debian/changelog	2017-06-27 20:18:00.000000000 +0200
+++ ruby-zip-1.2.1/debian/changelog	2018-08-13 13:57:54.000000000 +0200
@@ -1,3 +1,15 @@
+ruby-zip (1.2.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-1000544:
+    rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory
+    Traversal vulnerability that can be exploited to write arbitrary files to
+    the filesystem. (Closes: #902720)
+  * Drop CVE-2017-5946.patch because this one was already fixed in version
+    1.2.1.
+
+ -- Markus Koschany <apo at debian.org>  Mon, 13 Aug 2018 13:57:54 +0200
+
 ruby-zip (1.2.1-1) unstable; urgency=medium
 
   * Team upload
diff -Nru ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch
--- ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch	2017-06-27 20:18:00.000000000 +0200
+++ ruby-zip-1.2.1/debian/patches/CVE-2017-5946.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,23 +0,0 @@
-From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
-From: Alexander Simonov <alex at simonov.me>
-Date: Wed, 8 Feb 2017 13:43:14 +0200
-Subject: [PATCH] Fix #315 and resolve relative path vulnerability
-
----
- lib/zip/entry.rb | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/lib/zip/entry.rb
-+++ b/lib/zip/entry.rb
-@@ -155,6 +155,11 @@
-         return self
-       end
- 
-+      if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
-+        puts "WARNING: skipped \"../\" path component(s) in #{@name}"
-+        return self
-+      end
-+
-       if directory? || file? || symlink?
-         __send__("create_#{@ftype}", dest_path, &block)
-       else
Binärdateien /tmp/PnO56ihERK/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part1.patch und /tmp/XzTwLOhW91/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part1.patch sind verschieden.
Binärdateien /tmp/PnO56ihERK/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part2.patch und /tmp/XzTwLOhW91/ruby-zip-1.2.1/debian/patches/CVE-2018-1000544_part2.patch sind verschieden.
diff -Nru ruby-zip-1.2.1/debian/patches/series ruby-zip-1.2.1/debian/patches/series
--- ruby-zip-1.2.1/debian/patches/series	2017-06-27 20:18:00.000000000 +0200
+++ ruby-zip-1.2.1/debian/patches/series	2018-08-13 13:57:54.000000000 +0200
@@ -1,4 +1,5 @@
 require-forwardable-fix-test.patch
 ignore-simplecov.diff
 fix-random-tests-failures
-CVE-2017-5946.patch
+CVE-2018-1000544_part1.patch
+CVE-2018-1000544_part2.patch
diff -Nru ruby-zip-1.2.1/debian/source/include-binaries ruby-zip-1.2.1/debian/source/include-binaries
--- ruby-zip-1.2.1/debian/source/include-binaries	1970-01-01 01:00:00.000000000 +0100
+++ ruby-zip-1.2.1/debian/source/include-binaries	2018-08-13 13:57:54.000000000 +0200
@@ -0,0 +1,2 @@
+debian/patches/CVE-2018-1000544_part1.patch
+debian/patches/CVE-2018-1000544_part2.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20180815/73edc7cd/attachment-0001.sig>
