Bug#853075: ruby-minitar: diff for NMU version 0.5.4-3.1

Sun, 29 Jan 2017 22:12:20 -0800 

Control: tags 853075 + pending

Dear Markus,

I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru ruby-minitar-0.5.4/debian/changelog ruby-minitar-0.5.4/debian/changelog
--- ruby-minitar-0.5.4/debian/changelog	2016-01-24 11:54:26.000000000 +0100
+++ ruby-minitar-0.5.4/debian/changelog	2017-01-30 07:00:07.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-minitar (0.5.4-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2016-10173: directory traversal vulnerability (Closes: #853075)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Mon, 30 Jan 2017 07:00:07 +0100
+
 ruby-minitar (0.5.4-3) unstable; urgency=medium
 
   * [817a137] Move VCS to pkg-ruby-extras
diff -Nru ruby-minitar-0.5.4/debian/patches/CVE-2016-10173.patch ruby-minitar-0.5.4/debian/patches/CVE-2016-10173.patch
--- ruby-minitar-0.5.4/debian/patches/CVE-2016-10173.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-minitar-0.5.4/debian/patches/CVE-2016-10173.patch	2017-01-30 07:00:07.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2016-10173: directory traversal vulnerability
+Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945
+Bug: https://github.com/halostatue/minitar/issues/16
+Bug-Debian: https://bugs.debian.org/853075
+Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
+Forwarded: not-needed
+Author: Jordi Massaguer
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2017-01-30
+
+--- a/lib/archive/tar/minitar.rb	
++++ a/lib/archive/tar/minitar.rb	
+@@ -975,6 +975,9 @@ module Archive::Tar::Minitar
+         end
+ 
+         inp.each do |entry|
++            if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++              raise entry.full_name + " Error path contains .."
++            end
+           if files.empty? or files.include?(entry.full_name)
+             inp.extract_entry(dest, entry, &block)
+           end
diff -Nru ruby-minitar-0.5.4/debian/patches/series ruby-minitar-0.5.4/debian/patches/series
--- ruby-minitar-0.5.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ ruby-minitar-0.5.4/debian/patches/series	2017-01-30 07:00:07.000000000 +0100
@@ -0,0 +1 @@
+CVE-2016-10173.patch

Reply via email to