Bug 1021740 (CVE-2016-10173) - VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: directory traversal vulnerability
Summary: VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: director...
Status: RESOLVED FIXED
Alias: CVE-2016-10173
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P3 - Medium : Normal
Target Milestone: unspecified
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/179084/
Whiteboard: CVSSv2:NVD:CVE-2016-10173:5.0:(AV:N/A...
Keywords:
Depends on:
Blocks: 1096174
  Show dependency treegraph
 
Reported: 2017-01-24 21:20 UTC by Mikhail Kasimov
Modified: 2021-01-13 20:20 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
proposed patch (534 bytes, patch)
2017-01-27 17:37 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-24 21:20:16 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/178
=====================================================
Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

Issue:
https://github.com/halostatue/minitar/issues/16

Upstream patch:
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

The same issue exists in rubygem archive-tar-minitar

I believe they're based on the same codebase, and minitar is the officially
supported fork, so I'm not sure if this warrants two CVEs or just one.

Thanks,
--
Max Veytsman
Co-founder appcanary.com
@mveytsman <https://twitter.com/mveytsman>
=====================================================

https://software.opensuse.org/package/rubygem-minitar
https://software.opensuse.org/package/ruby2.1-rubygem-minitar
https://software.opensuse.org/package/rubygem-archive-tar-minitar
https://software.opensuse.org/package/ruby2.1-rubygem-archive-tar-minitar
Comment 1 Swamp Workflow Management 2017-01-24 23:02:04 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-25 09:50:55 UTC 
openSUSE:Leap:42.1:Update/rubygem-archive-tar-minitar
openSUSE:Leap:42.2:Update/rubygem-archive-tar-minitar
openSUSE Leap 42.2 rubygem-minitar
Comment 5 Jordi Massaguer 2017-01-27 17:37:29 UTC 
Created attachment 711945 [details]
proposed patch

Minimal patch for version 0.5.2 (rubygem-archive-tar-minitar) and for version 0.5.4 (rubygem-minitar)
Comment 6 Jordi Massaguer 2017-01-27 19:00:20 UTC 
assigning to security team. All requests have been submitted.
Comment 7 Bernhard Wiedemann 2017-01-27 19:02:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453014 42.1+42.2 / rubygem-archive-tar-minitar
Comment 9 Mikhail Kasimov 2017-01-29 12:10:17 UTC 
CVE Assignment Team: "Use CVE-2016-10173 for both minitar and archive-tar-minitar".
Comment 10 Bernhard Wiedemann 2017-01-30 11:02:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453406 42.2 / rubygem-minitar
https://build.opensuse.org/request/show/453408 42.1+42.2 / rubygem-archive-tar-minitar
Comment 12 Swamp Workflow Management 2017-02-09 11:07:10 UTC 
openSUSE-SU-2017:0429-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
Sources used:
openSUSE Leap 42.2 (src):    rubygem-minitar-0.5.4-3.1
Comment 13 Valentin Rothberg 2017-10-02 13:27:39 UTC 
Closing the bug as the SRs have been accepted.
Comment 16 Alexander Bergmann 2018-06-06 12:20:43 UTC 
Not yet fixed in openSUSE:Leap:42.3.
Comment 17 Alexander Bergmann 2018-06-06 12:32:43 UTC 
The openSUSE Leap 42.3 submission is handled inside SUSE:Maintenance:4085 / SUSE:SLE-12:Update that is currently on hold.
Comment 18 Marcus Meissner 2021-01-09 08:20:24 UTC 
released, leap 42.3 is eol
Comment 19 Swamp Workflow Management 2021-01-13 20:20:33 UTC 
SUSE-SU-2021:0115-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    rubygem-archive-tar-minitar-0.5.2-7.3.65

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.