Bug#856269: ruby-zip: diff for NMU version 1.2.0-1.1

Mon, 27 Feb 2017 23:09:44 -0800 

Control: tags 856269 + pending

Dear maintainer,

I've prepared an NMU for ruby-zip (versioned as 1.2.0-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru ruby-zip-1.2.0/debian/changelog ruby-zip-1.2.0/debian/changelog
--- ruby-zip-1.2.0/debian/changelog	2016-09-10 08:12:53.000000000 +0200
+++ ruby-zip-1.2.0/debian/changelog	2017-02-27 17:38:59.000000000 +0100
@@ -1,3 +1,11 @@
+ruby-zip (1.2.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-5946: directory traversal vulnerability in Zip::File component
+    (Closes: #856269)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Mon, 27 Feb 2017 17:38:59 +0100
+
 ruby-zip (1.2.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch
--- ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-zip-1.2.0/debian/patches/CVE-2017-5946.patch	2017-02-27 17:38:59.000000000 +0100
@@ -0,0 +1,28 @@
+From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
+From: Alexander Simonov <a...@simonov.me>
+Date: Wed, 8 Feb 2017 13:43:14 +0200
+Subject: [PATCH] Fix #315 and resolve relative path vulnerability
+
+---
+ lib/zip/entry.rb | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
+index 7884458..0aba0eb 100644
+--- a/lib/zip/entry.rb
++++ b/lib/zip/entry.rb
+@@ -150,6 +150,11 @@ module Zip
+     def extract(dest_path = @name, &block)
+       block ||= proc { ::Zip.on_exists_proc }
+ 
++      if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++        puts "WARNING: skipped \"../\" path component(s) in #{@name}"
++        return self
++      end
++
+       if directory? || file? || symlink?
+         __send__("create_#{@ftype}", dest_path, &block)
+       else
+-- 
+2.11.0
+
diff -Nru ruby-zip-1.2.0/debian/patches/series ruby-zip-1.2.0/debian/patches/series
--- ruby-zip-1.2.0/debian/patches/series	2016-09-10 08:12:53.000000000 +0200
+++ ruby-zip-1.2.0/debian/patches/series	2017-02-27 17:38:59.000000000 +0100
@@ -1,3 +1,4 @@
 require-forwardable-fix-test.patch
 ignore-simplecov.diff
 fix-random-tests-failures
+CVE-2017-5946.patch

Reply via email to