Bug#868572: marked as done (ruby-mixlib-archive: CVE-2017-1000026)

[Debian Bug Tracking System]

Your message dated Sat, 22 Jul 2017 21:18:09 +0000
with message-id <e1dz1mr-0008b6...@fasolo.debian.org>
and subject line Bug#868572: fixed in ruby-mixlib-archive 0.2.0-1+deb9u1
has caused the Debian Bug report #868572,
regarding ruby-mixlib-archive: CVE-2017-1000026
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868572
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ruby-mixlib-archive
Version: 0.2.0-1
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://github.com/chef/mixlib-archive/pull/6

Hi,

the following vulnerability was published for ruby-mixlib-archive.

CVE-2017-1000026[0]:
| Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable
| to a directory traversal attack allowing attackers to overwrite
| arbitrary files by using ".." in tar archive entries

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000026
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000026
[1] https://github.com/chef/mixlib-archive/pull/6

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: ruby-mixlib-archive
Source-Version: 0.2.0-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
ruby-mixlib-archive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hleb Valoshka <375...@gmail.com> (supplier of updated ruby-mixlib-archive 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jul 2017 17:42:56 +0300
Source: ruby-mixlib-archive
Binary: ruby-mixlib-archive
Architecture: source all
Version: 0.2.0-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers 
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Hleb Valoshka <375...@gmail.com>
Description:
 ruby-mixlib-archive - simple interface to various archive formats
Closes: 868572
Changes:
 ruby-mixlib-archive (0.2.0-1+deb9u1) stretch-security; urgency=high
 .
   * Prevent directory traversal attack CVE-2017-1000026 (Closes: #868572)
Checksums-Sha1:
 723b19124e5530c78621cda3fd911117944bc833 2164 
ruby-mixlib-archive_0.2.0-1+deb9u1.dsc
 7c78dfae2fc9254f4a4358ace48795377e65f486 8207 
ruby-mixlib-archive_0.2.0.orig.tar.gz
 24934e375655bde8c10a496bc1863ec70c5b6a42 2604 
ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz
 41eed2bedec8988ec23428cc3e949577d93bbf5e 4578 
ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb
 721e7e02be1102a0ca055b77ce5d116275c8df1c 6881 
ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 e5444ea0f13e51c2a95bcbe7221bce43ea5c710294b25cedcee844fc958d5cb1 2164 
ruby-mixlib-archive_0.2.0-1+deb9u1.dsc
 f29b7c00bb698e2d18fb67b13bf12eb4ab12ede74e0470d4f368d31499602105 8207 
ruby-mixlib-archive_0.2.0.orig.tar.gz
 ca5638a2a8d2fa9b3166ead0c8c77d1646186b6d90de2cc9100cff6aebc7f185 2604 
ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz
 ebe609d749812a243b8941b453bc875efb56cf4b245731149c4e98815f8307f8 4578 
ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb
 5f75d6e63d384db7f91db69abc83479443fd3fe2ec3aeeb0489f08d36421a8a3 6881 
ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo
Files:
 970012f0cb67efb746ef1997663d919f 2164 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1.dsc
 7d13c5b0835c17b88595a9231b09a68d 8207 ruby optional 
ruby-mixlib-archive_0.2.0.orig.tar.gz
 b39ad56eda34de7b67a75dab3b6cde2c 2604 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1.debian.tar.xz
 c004f431c9a26a7bc99b0b01bd5b5f58 4578 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1_all.deb
 63d9dfe11190e5428fa65a2fc4bfa141 6881 ruby optional 
ruby-mixlib-archive_0.2.0-1+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAllwqm8ACgkQ+COicpiD
yXzExxAApdmQE7k4m0TWl81rH9q2wNBmdthMcQaP3Io19So4Af2QJMbIVdG/J0Sj
kVRsCUcCMiJD/QOnCdx0T1xVgKJamqkLAs7NNgJuUNejMmfZHl0YIBdlikVo3Oi9
jz2rPg92H2c2Y8JlS8SQQVpzbekldfx9iPFUu3RaPo9+5sOkA2qid8nLcHvYmRGW
8NhSPJQ6WoU7P3B/2VAzoU1VrtTia6ZNC+xD+Boqciz0VYFVkozwJkUnL0muUkv/
iDhNJKVuYzPSq3J/JUzHx8W3+8PUCFZaWNYV2WLAzFHGfkzRxyiYyPt2U7K7Lkj4
Tjr1USBrfDdXFFqE/2GKlqasdkZZEug1i5Zsnr0tHP8Tm4Xe2otv6XVi3VZbdxw3
H6bT1zEUHA8wSCr1/GcmZMgIrjFZnZ3JjCp5JGu1cHyb6QlmVoJhVV5RaLPOBHDy
Jufk8wlqSk9gHOOxL4XG0PqdIqdGSegI+bbUXJITtLiRJFWkOCTHL6ghDfOAXu5Z
6nn0RoH6O3VBigqBY7y13vTCJlWwZe5VNF0R8TKt7hSMVmjlucuc/o5u6bqDZmsg
re9zJq2RZAzy82D5TvSZPxh8mJPVt+JoxTYZwhFsuyyJbajrWjiZrFiJ6fJUxEir
t4tyrXrIueadhb2l3nhIk5LX4OSattGmqH6QVGfPgbYIqurbKUQ=
=okiz
-----END PGP SIGNATURE-----

--- End Message ---