Bug 1027050 (CVE-2017-5946)

Summary: VUL-0: CVE-2017-5946: rubygem-rubyzip: The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has adirectory traversal vulnerabi...
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, ismail, maint-coord, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/180949/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1096174    

Description Marcus Meissner 2017-02-27 10:37:06 UTC 
CVE-2017-5946

 The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a
directory traversal vulnerability. If a site allows uploading of .zip
files, an attacker can upload a malicious file that uses "../" pathname
substrings to write arbitrary files to the filesystem.


    CONFIRM:https://github.com/rubyzip/rubyzip/issues/315
    CONFIRM:https://github.com/rubyzip/rubyzip/releases 

Only in openSUSE.
Comment 1 Swamp Workflow Management 2017-02-27 23:01:36 UTC 
bugbot adjusting priority
Comment 2 Ismail Dönmez 2017-08-02 12:11:13 UTC 
darix is the maintainer/bugowner.
Comment 3 Marcus Rückert 2017-08-02 12:14:06 UTC 
r1 | namtrac | 2012-07-30 15:13:40 | 950e29e0b75dacd424c0ae80c46c0268 | 0.9.9 | rq128951
needed for selenium


you submitted it. you fix it.
Comment 4 Bernhard Wiedemann 2017-08-02 14:01:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1027050) was mentioned in
https://build.opensuse.org/request/show/514041 42.2 / rubygem-rubyzip
https://build.opensuse.org/request/show/514042 42.3 / rubygem-rubyzip
Comment 5 Ismail Dönmez 2017-08-03 09:14:53 UTC 
All submits accepted.
Comment 6 Ismail Dönmez 2017-08-03 09:17:14 UTC 
Hand over to security team.
Comment 7 Andreas Stieger 2017-08-09 20:11:19 UTC 
done
Comment 8 Swamp Workflow Management 2017-08-10 01:11:05 UTC 
openSUSE-SU-2017:2120-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027050
CVE References: CVE-2017-5946
Sources used:
openSUSE Leap 42.3 (src):    rubygem-rubyzip-1.1.7-8.1
openSUSE Leap 42.2 (src):    rubygem-rubyzip-1.1.7-5.3.1