Closed ecneladis closed 7 years ago
Hi @halostatue, I'm in the process of requesting a CVE for this issue. It looks like this has been resolved.
I see that the latest version on Rubygems is 0.5.4. Is this still a pre-release repo? Is it correct to say that it will be fixed in 0.6, whenever that's released?
It is correct to say that will be fixed in 0.6. I hope to have this released soon but am trying to catch up on other stuff before I release this (which is a slightly breaking change).
It’s blocked on #20, but that’s all on me.
This is a proposed patch for previous versions
This issue has been assigned CVE-2016-10173
Note, bundle-audit
already catches minitar 0.5.4 as being vulnerable as per the CVE, and advises an upgrade to 0.6.0 which is yet-to-be-released. This may be failing CI jobs for some people who perform bundle-audit
checks there (as we do).
Thank you. I’m in the middle of a fairly busy week at work and do not expect to be able to finalize and prepare a release before the weekend at the earliest. Sorry for this, but this hasn’t been something at the top of my priority list because it’s not my paying job. I will try to get it done for the weekend.
Overview
Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/
Proof of Concept
Desired behaviour:
Example how
bsdtar
handles this kind of issues:Vulnerable, verified versions of gems:
Related issue: https://github.com/atoulme/minitar/issues/5