Bug 21480

Summary:	ruby-mixlib-archive, <replace this with a short summary of the program's purpose>
Product:	Mageia	Reporter:	Zombie Ryushu <zombie_ryushu>
Component:	Security	Assignee:	Mageia Bug Squad <bugsquad>
Status:	RESOLVED INVALID	QA Contact:
Severity:	enhancement
Priority:	Normal	CC:	marja11
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	ruby-mixlib-archive	CVE:
Status comment:

Description Zombie Ryushu 2017-08-09 23:43:00 CEST Comment hidden (obsolete)

It was discovered that ruby-mixlib-archive, a Chef Software's library used to handle various archive formats, was vulnerable to a directory traversal attack. This allowed attackers to overwrite arbitrary files by using a malicious tar archive containing ".." in its entries.

Comment 1 Marja Van Waes 2017-08-11 12:30:06 CEST Comment hidden (obsolete)

We don't seem to have that software.

CC: (none) => marja11
Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 2 Zombie Ryushu 2017-08-11 13:22:09 CEST

Then consider it a Package Request.

Component: RPM Packages => New RPM package request
Status: RESOLVED => REOPENED
Resolution: INVALID => (none)

Comment 3 Marja Van Waes 2017-08-11 19:53:55 CEST

Hi Zombie,

Please read https://wiki.mageia.org/en/How_to_report_a_bug_properly#How_to_file_a_package_request
and adjust this report accordingly.

(Obsoleting the description and comment #1, since they are now unrelated)

Summary: ruby-mixlib-archive security vulnerability CVE-2017-1000026 => ruby-mixlib-archive, <replace this with a short summary of the program's purpose>
URL: https://www.debian.org/security/2017/dsa-3915 => (none)

Comment 4 David Walser 2017-08-13 20:06:00 CEST

A piece of software *having* a security vulnerability is not a reason to import it.  This is the second time.  Please stop this.

Status: REOPENED => RESOLVED
Resolution: (none) => INVALID
Component: New RPM package request => Security