felixbuenemann
commented
7 years ago The CVE doesn't really apply here, because rubyzip is only used for generating ZIP files, but not for unzipping them:
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
I think the best way to solve this would be to bump the rubyzip version in your Gemfile.lock.
Bumping the minimum required rubyzip version in the gem would also raise the minimum required ruby version from >= 1.9.1 to >= 1.9.2 to match the requirement of current rubyzip versions.
edymerchk
Thanks for this project!
I'm using this gem in a project with CodeClimate and right now I'm getting an offense because of a significant vulnerability issue:
Advisory: CVE-2017-5946http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2017-5946
URL: https://github.com/rubyzip/rubyzip/issues/315