openSUSE has issued an advisory today (August 10): https://lists.opensuse.org/opensuse-updates/2017-08/msg00025.html The issue is fixed upstream in 1.2.1 according to the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1027050 Mageia 5 is also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => cooker, marja11, pterjan, shlomifAssignee: bugsquad => pkg-bugs
for the reccord, the fix https://github.com/rubyzip/rubyzip/commit/ce4208fdecc2ad079b05d3c49d70fe6ed1d07016
CC: (none) => mageia
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
pushed in updates_testing src.rpm: ruby-rubyzip-1.1.4-3.1.mga5 ruby-rubyzip-1.1.7-1.1.mga6
Assignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated ruby-rubyzip packages fix security vulnerability: A directory traversal vulnerability could lead to access and overwrite files that are outside of the restricted directory (CVE-2017-5946). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5946 https://lists.opensuse.org/opensuse-updates/2017-08/msg00025.html ======================== Updated packages in core/updates_testing: ======================== ruby-rubyzip-1.1.4-3.1.mga5 ruby-rubyzip-doc-1.1.4-3.1.mga5 ruby-rubyzip-1.1.7-1.1.mga6 ruby-rubyzip-doc-1.1.7-1.1.mga6 from SRPMS: ruby-rubyzip-1.1.4-3.1.mga5.src.rpm ruby-rubyzip-1.1.7-1.1.mga6.src.rpm
mga6 x86_64 Installed the pre-update packages and developed a short test script based on the documentation at https://mensfeld.pl/2011/12/using-ruby-and-zip-library-to-compress-directories-and-read-single-file-from-compressed-collection/ It successfully creates a zip file for a designated directory and this can be unzipped using unzip. However, I am having trouble extracting single files using the test script. Pursuing this tomorrow.
CC: (none) => tarazed25
Attaching a test script. Ran this again to generate a zip file and managed to extract a single file and write its contents to a new file. Leaving the updates until later - halfway through the night here.
Created attachment 9587 [details] Sample script to demonstrate zip functions from the rubyzip gem Anybody wanting to use this should edit it to suit. It should be fairly obvious where to change file names.
Created attachment 9588 [details] Sample script to exercize the ruby-zip gem
Attachment 9587 is obsolete: 0 => 1
Created attachment 9589 [details] Sample script to exercise the ruby-zip gem
Attachment 9588 is obsolete: 0 => 1
Created attachment 9590 [details] Sample script to demonstrate zip methods from the ruby zip gem Sorry about that. Forgot a one-line change in the shell operations.
Attachment 9589 is obsolete: 0 => 1
mga6 x86_64 Mate No reproducers available at this time. Installed the updates. $ rpm -qa | grep ruby | grep zip ruby-rubyzip-doc-1.1.7-1.1.mga6 ruby-rubyzip-1.1.7-1.1.mga6 $ zipx data Zipping directory data -rw------- 1 lcl lcl 41743315 Aug 12 07:34 /home/lcl/data.zip Difference between original and extracted files is : : Moved zip file to an out-of-the-way directory and unzipped it. $ ls ~/tmp/*.zip /home/lcl/tmp/data.zip $ cd tmp $ unzip data.zip Archive: data.zip creating: data/Christmas/ inflating: data/Christmas/Cardlist ...... inflating: data/vlcchans.xspf creating: data/web/ inflating: data/web/googlemail inflating: data/web/urls inflating: data/xyz.odt finishing deferred symbolic links: data/calco/data -> /home/lcl/.local/share/calco $ ls -l drwxr-xr-x 30 lcl lcl 4096 Aug 12 08:22 data/ -rw------- 1 lcl lcl 41743315 Aug 12 07:34 data.zip Good for 64-bits. These are noarch packages so there should be no surprises on 32-bit platforms.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
mga6 i586 in virtualbox Mate Ran the tests outlined in comment 11 before and after the updates. That went well. OK for 32-bits.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK
Created attachment 9591 [details] Sample script to demonstrate zip methods in ruby Changed mv to cp.
mga5 x86_64 KDE4 Installed the updates and used the tests from comment 11 to zip a directory and extract a file from it. Copied the zip file to ~/tmp and extracted its contents using unzip. All OK.
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
mga5 i586 on virtualbox Mate Ran the comment tests before and after the updates, with positive results. This update can be validated.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK
Why don't the balls turn green?
CC: (none) => lewyssmithWhiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0264.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED