Package: ruby-minitar / 0.5.4-3.1

CVE-2016-10173.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Description: CVE-2016-10173: directory traversal vulnerability
Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945
Bug: https://github.com/halostatue/minitar/issues/16
Bug-Debian: https://bugs.debian.org/853075
Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
Forwarded: not-needed
Author: Jordi Massaguer
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2017-01-30

--- a/lib/archive/tar/minitar.rb	
+++ a/lib/archive/tar/minitar.rb	
@@ -975,6 +975,9 @@ module Archive::Tar::Minitar
         end
 
         inp.each do |entry|
+            if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
+              raise entry.full_name + " Error path contains .."
+            end
           if files.empty? or files.include?(entry.full_name)
             inp.extract_entry(dest, entry, &block)
           end