Ubuntu
ruby-zip package

Security - CVE-2017-5946

Bug #1669894 reported by Phillip Prescher
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libzip-ruby (Ubuntu)
Fix Released
Undecided
Unassigned
ruby-zip (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Incomplete
Undecided
Unassigned
Yakkety
Incomplete
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned

Bug Description

This version of rubyzip is vulnerable to directory traversal attacks. Please see CVE-2017-5946.

It needs to be upgraded to version 1.2.1. It is currently on version 1.1.7.

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for the report, Phillip. We are aware of this issue and are tracking it here:

  https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5946.html

information type: Private Security → Public Security
Changed in ruby-zip (Ubuntu):
status: New → Triaged
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hello again, Phillip. I made a mistake while triaging this bug last week because I mistakenly thought that ruby-zip was in main. It turns out that ruby-zip is in universe and, therefore, it is community supported. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

I'm in the process of syncing the Debian security update for libzip-ruby in 12.04 and for ruby-zip in Zesty (soon to be 17.04). There are no syncs available for 16.04 or 16.10 so it'd be much appreciated if you could provide debdiffs for those releases.

Changed in libzip-ruby (Ubuntu):
status: New → In Progress
no longer affects: libzip-ruby (Ubuntu Zesty)
no longer affects: libzip-ruby (Ubuntu Yakkety)
no longer affects: libzip-ruby (Ubuntu Xenial)
Changed in ruby-zip (Ubuntu Zesty):
status: Triaged → In Progress
Changed in ruby-zip (Ubuntu Yakkety):
status: New → Incomplete
Changed in ruby-zip (Ubuntu Xenial):
status: New → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This bug was fixed in the package ruby-zip - 1.2.0-1.1

---------------
ruby-zip (1.2.0-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * CVE-2017-5946: directory traversal vulnerability in Zip::File component
    (Closes: #856269)

 -- Salvatore Bonaccorso <email address hidden> Mon, 27 Feb 2017 17:38:59 +0100

Changed in ruby-zip (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libzip-ruby - 0.9.4-1+deb7u1build0.12.04.1

---------------
libzip-ruby (0.9.4-1+deb7u1build0.12.04.1) precise-security; urgency=medium

  * fake sync from Debian (LP: #1669894)

libzip-ruby (0.9.4-1+deb7u1) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2017-5946:
    It was discovered that libzip-ruby, a Ruby module for reading and writing
    zip files, is prone to a directory traversal vulnerability. An attacker can
    take advantage of this flaw to overwrite arbitrary files during archive
    extraction via a .. (dot dot) in an extracted filename.

 -- Tyler Hicks <email address hidden> Mon, 13 Mar 2017 15:06:48 +0000

Changed in libzip-ruby (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.