Bug 1021740 (CVE-2016-10173)

Summary: VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: directory traversal vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, containers-bugowner, jmassaguerpla, tchatzimichos, vrothberg
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: All   
URL: https://smash.suse.de/issue/179084/
Whiteboard: CVSSv2:NVD:CVE-2016-10173:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv3:NVD:CVE-2016-10173:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSSv3:RedHat:CVE-2016-10173:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1096174    
Attachments: proposed patch

Description Mikhail Kasimov 2017-01-24 21:20:16 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/178
=====================================================
Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

Issue:
https://github.com/halostatue/minitar/issues/16

Upstream patch:
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

The same issue exists in rubygem archive-tar-minitar

I believe they're based on the same codebase, and minitar is the officially
supported fork, so I'm not sure if this warrants two CVEs or just one.

Thanks,
--
Max Veytsman
Co-founder appcanary.com
@mveytsman <https://twitter.com/mveytsman>
=====================================================

https://software.opensuse.org/package/rubygem-minitar
https://software.opensuse.org/package/ruby2.1-rubygem-minitar
https://software.opensuse.org/package/rubygem-archive-tar-minitar
https://software.opensuse.org/package/ruby2.1-rubygem-archive-tar-minitar
Comment 1 Swamp Workflow Management 2017-01-24 23:02:04 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-25 09:50:55 UTC 
openSUSE:Leap:42.1:Update/rubygem-archive-tar-minitar
openSUSE:Leap:42.2:Update/rubygem-archive-tar-minitar
openSUSE Leap 42.2 rubygem-minitar
Comment 5 Jordi Massaguer 2017-01-27 17:37:29 UTC 
Created attachment 711945 [details]
proposed patch

Minimal patch for version 0.5.2 (rubygem-archive-tar-minitar) and for version 0.5.4 (rubygem-minitar)
Comment 6 Jordi Massaguer 2017-01-27 19:00:20 UTC 
assigning to security team. All requests have been submitted.
Comment 7 Bernhard Wiedemann 2017-01-27 19:02:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453014 42.1+42.2 / rubygem-archive-tar-minitar
Comment 9 Mikhail Kasimov 2017-01-29 12:10:17 UTC 
CVE Assignment Team: "Use CVE-2016-10173 for both minitar and archive-tar-minitar".
Comment 10 Bernhard Wiedemann 2017-01-30 11:02:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453406 42.2 / rubygem-minitar
https://build.opensuse.org/request/show/453408 42.1+42.2 / rubygem-archive-tar-minitar
Comment 12 Swamp Workflow Management 2017-02-09 11:07:10 UTC 
openSUSE-SU-2017:0429-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
Sources used:
openSUSE Leap 42.2 (src):    rubygem-minitar-0.5.4-3.1
Comment 13 Valentin Rothberg 2017-10-02 13:27:39 UTC 
Closing the bug as the SRs have been accepted.
Comment 16 Alexander Bergmann 2018-06-06 12:20:43 UTC 
Not yet fixed in openSUSE:Leap:42.3.
Comment 17 Alexander Bergmann 2018-06-06 12:32:43 UTC 
The openSUSE Leap 42.3 submission is handled inside SUSE:Maintenance:4085 / SUSE:SLE-12:Update that is currently on hold.
Comment 18 Marcus Meissner 2021-01-09 08:20:24 UTC 
released, leap 42.3 is eol
Comment 19 Swamp Workflow Management 2021-01-13 20:20:33 UTC 
SUSE-SU-2021:0115-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    rubygem-archive-tar-minitar-0.5.2-7.3.65

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.