Description of problem: Our current version of ruby minitar contains a code error and needs a simple patch in order to work. 'require_gem' is deprecated and needs to be replaced by 'gem' and as far as is known the fault occurs in only one place. The correction has been tested in QA against version 14.1 and shown to work. Further note: /usr/bin/minitar uses 'gem', not 'require_gem'. $ sudo urpmi ruby-archive-tar-minitar $MIRRORLIST: media/core/release/ruby-archive-tar-minitar-0.5.2-14.mga5.noarch.rpm $ minitar extract bin.tar /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar:19:in `<top (required)>': undefined method `require_gem' for main:Object (NoMethodError) from /usr/bin/minitar:23:in `load' from /usr/bin/minitar:23:in `<main>' $ ruby --version ruby 2.0.0p648 (2015-12-16 revision 53162) [x86_64-linux] Version-Release number of selected component (if applicable): ruby-archive-tar-minitar-0.5.2-14.mga5.noarch How reproducible: It is consistent. Steps to Reproduce: 1. Install ruby-archive-tar-minitar-0.5.2-14 2. Use minitar to extract a standard TAR file 3.
Suggested advisory: ======================== The updated packages fix a security vulnerability: Directory traversal vulnerability in the minitar before 0.6 and archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write to arbitrary files via a .. (dot dot) in a TAR archive entry. (CVE-2016-10173) Moreover the updated packages replace deprecated require_gem by gem to make minitar work. References: http://openwall.com/lists/oss-security/2017/01/29/1 https://lwn.net/Alerts/713128/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10173 ======================== Updated package in core/updates_testing: ======================== ruby-archive-tar-minitar-0.5.2-14.2.mga5 ruby-archive-tar-minitar-doc-0.5.2-14.2.mga5 from SRPMS: ruby-archive-tar-minitar-0.5.2-14.2.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: bugsquad => qa-bugs
Component: RPM Packages => SecuritySummary: Deprecated code in ruby-archive-tar-minitar => Deprecated code and new security issue CVE-2016-10173 in ruby-archive-tar-minitar
Blocks: (none) => 20207
Testing this again on x86_64 after updating the packages. $ minitar extract icons.tar This generated an icons directory with a number of valid image icons in it. Used the earlier PoC file to demonstrate that the updated minitar traps the CVE-2016-10173 issue. $ minitar extract symlink-overwrite.tar /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError) followed by a backtrace.
Whiteboard: (none) => has_procedure MGA5-64-OK
Updated these on i586 virtualbox. Checked the source code at /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/bin/minitar to confirm the edit: gem 'archive-tar-minitar', '= 0.5.2' $ mv bin oldbin $ minitar extract bin.tar $ ls bin accumulate copycal gorilla printcode tarback backdocs copydata hail printing tbird backroom copydocs hailstones purgelist tidy ....... Tested PoC file: $ minitar extract symlink-overwrite.tar /usr/share/ruby/gems/gems/archive-tar-minitar-0.5.2/lib/archive/tar/minitar.rb:973:in `block (2 levels) in unpack': ../../../../../../../../../../../../../../../tmp/qwerty1234 Error path contains .. (RuntimeError) which is the expected output.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Validating & advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0060.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED