Bug 802795 (CVE-2013-0262) - VUL-0: CVE-2013-0262: rubygem-rack-1_4: Rack versions 1.4.0-1.5.1, Symlink path traversal.
Summary: VUL-0: CVE-2013-0262: rubygem-rack-1_4: Rack versions 1.4.0-1.5.1, Symlink pa...
Status: RESOLVED FIXED
Alias: CVE-2013-0262
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:50862:important maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-08 11:58 UTC by Marcus Meissner
Modified: 2021-09-10 14:15 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-02-08 11:58:32 UTC 
is public, via oss-sec

From: James Tucker <raggi@google.com>
Subject: [oss-security] CVE-2013-0262: Rack versions 1.4.0-1.5.1, Symlink path traversal.

CVE: CVE-2013-0262
Software: Rack (rack.github.com)
Type of vulnerability: Information Disclosure
Vulnerable code: https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56
Patch: https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30
Versions affected: All versions after 1.4.0
Versions fixed: 1.4.5, 1.5.2
Reporter: Ben Murphy
Comment 1 Swamp Workflow Management 2013-02-08 23:00:26 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2013-02-11 14:53:46 UTC 
please submit fixed package, also covered in SWAMP workflow 51030
Comment 3 Marcus Rückert 2013-02-14 14:08:42 UTC 
submitted
Comment 4 Swamp Workflow Management 2013-02-25 10:06:43 UTC 
openSUSE-SU-2013:0338-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 798452,802794,802795,803336,803339
CVE References: CVE-2012-6109,CVE-2013-0183,CVE-2013-0184,CVE-2013-0262,CVE-2013-0263,CVE-2013-0276,CVE-2013-0277
Sources used:
openSUSE 12.2 (src):    rubygem-actionmailer-2.3.17-2.9.1, rubygem-actionmailer-2_3-2.3.17-2.9.1, rubygem-actionmailer-3_2-3.2.12-2.13.1, rubygem-actionpack-2.3.17-2.9.1, rubygem-actionpack-2_3-2.3.17-2.17.1, rubygem-actionpack-3_2-3.2.12-3.13.1, rubygem-activemodel-3_2-3.2.12-2.13.1, rubygem-activerecord-2.3.17-3.9.1, rubygem-activerecord-2_3-2.3.17-2.13.1, rubygem-activerecord-3_2-3.2.12-2.13.1, rubygem-activeresource-2.3.17-3.9.1, rubygem-activeresource-2_3-2.3.17-2.9.1, rubygem-activeresource-3_2-3.2.12-2.13.1, rubygem-activesupport-2.3.17-3.9.1, rubygem-activesupport-2_3-2.3.17-3.13.1, rubygem-activesupport-3_2-3.2.12-2.13.1, rubygem-rack-1_1-1.1.6-6.9.1, rubygem-rack-1_2-1.2.8-2.9.1, rubygem-rack-1_3-1.3.10-2.9.1, rubygem-rack-1_4-1.4.5-2.9.1, rubygem-rails-2.3.17-3.9.1, rubygem-rails-2_3-2.3.17-3.9.1, rubygem-rails-3_2-3.2.12-2.13.1, rubygem-railties-3_2-3.2.12-2.13.1
openSUSE 12.1 (src):    rubygem-actionmailer-2.3.17-2.11.1, rubygem-actionmailer-2_3-2.3.17-3.13.2, rubygem-actionpack-2.3.17-2.11.1, rubygem-actionpack-2_3-2.3.17-3.20.2, rubygem-activerecord-2.3.17-2.11.1, rubygem-activerecord-2_3-2.3.17-3.16.1, rubygem-activeresource-2.3.17-2.11.1, rubygem-activeresource-2_3-2.3.17-3.13.1, rubygem-activesupport-2.3.17-2.11.1, rubygem-activesupport-2_3-2.3.17-3.17.1, rubygem-rack-1_1-1.1.6-3.9.1, rubygem-rails-2.3.17-2.11.1, rubygem-rails-2_3-2.3.17-3.13.1
Comment 5 Sebastian Krahmer 2013-04-03 14:25:55 UTC 
released