1027050 – (CVE-2017-5946) VUL-0: CVE-2017-5946: rubygem-rubyzip: The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has adirectory traversal vulnerabi...

Bug 1027050 (CVE-2017-5946) - VUL-0: CVE-2017-5946: rubygem-rubyzip: The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has adirectory traversal vulnerabi...

Summary: VUL-0: CVE-2017-5946: rubygem-rubyzip: The Zip::File component in the rubyzip...

Status:	RESOLVED FIXED

Alias:	CVE-2017-5946

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/180949/
Whiteboard:
Keywords:

Depends on:
Blocks:	1096174
	Show dependency tree / graph

Clone This Bug

Reported:	2017-02-27 10:37 UTC by Marcus Meissner
Modified:	2020-04-28 16:15 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-02-27 10:37:06 UTC

CVE-2017-5946

 The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a
directory traversal vulnerability. If a site allows uploading of .zip
files, an attacker can upload a malicious file that uses "../" pathname
substrings to write arbitrary files to the filesystem.


    CONFIRM:https://github.com/rubyzip/rubyzip/issues/315
    CONFIRM:https://github.com/rubyzip/rubyzip/releases 

Only in openSUSE.

Comment 1 Swamp Workflow Management 2017-02-27 23:01:36 UTC

bugbot adjusting priority

Comment 2 Ismail Dönmez 2017-08-02 12:11:13 UTC

darix is the maintainer/bugowner.

Comment 3 Marcus Rückert 2017-08-02 12:14:06 UTC

r1 | namtrac | 2012-07-30 15:13:40 | 950e29e0b75dacd424c0ae80c46c0268 | 0.9.9 | rq128951
needed for selenium


you submitted it. you fix it.

Comment 4 Bernhard Wiedemann 2017-08-02 14:01:03 UTC

This is an autogenerated message for OBS integration:
This bug (1027050) was mentioned in
https://build.opensuse.org/request/show/514041 42.2 / rubygem-rubyzip
https://build.opensuse.org/request/show/514042 42.3 / rubygem-rubyzip

Comment 5 Ismail Dönmez 2017-08-03 09:14:53 UTC

All submits accepted.

Comment 6 Ismail Dönmez 2017-08-03 09:17:14 UTC

Hand over to security team.

Comment 7 Andreas Stieger 2017-08-09 20:11:19 UTC

done

Comment 8 Swamp Workflow Management 2017-08-10 01:11:05 UTC

openSUSE-SU-2017:2120-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027050
CVE References: CVE-2017-5946
Sources used:
openSUSE Leap 42.3 (src):    rubygem-rubyzip-1.1.7-8.1
openSUSE Leap 42.2 (src):    rubygem-rubyzip-1.1.7-5.3.1