Bug 1021740 - (CVE-2016-10173) VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: directory traversal vulnerability
VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: director...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other All
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1096174
  Show dependency treegraph
Reported: 2017-01-24 21:20 UTC by Mikhail Kasimov
Modified: 2021-01-13 20:20 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

proposed patch (534 bytes, patch)
2017-01-27 17:37 UTC, Jordi Massaguer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-24 21:20:16 UTC
Ref: http://seclists.org/oss-sec/2017/q1/178
Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.


Upstream patch:

The same issue exists in rubygem archive-tar-minitar

I believe they're based on the same codebase, and minitar is the officially
supported fork, so I'm not sure if this warrants two CVEs or just one.

Max Veytsman
Co-founder appcanary.com
@mveytsman <https://twitter.com/mveytsman>

Comment 1 Swamp Workflow Management 2017-01-24 23:02:04 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-25 09:50:55 UTC
openSUSE Leap 42.2 rubygem-minitar
Comment 5 Jordi Massaguer 2017-01-27 17:37:29 UTC
Created attachment 711945 [details]
proposed patch

Minimal patch for version 0.5.2 (rubygem-archive-tar-minitar) and for version 0.5.4 (rubygem-minitar)
Comment 6 Jordi Massaguer 2017-01-27 19:00:20 UTC
assigning to security team. All requests have been submitted.
Comment 7 Bernhard Wiedemann 2017-01-27 19:02:05 UTC
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453014 42.1+42.2 / rubygem-archive-tar-minitar
Comment 9 Mikhail Kasimov 2017-01-29 12:10:17 UTC
CVE Assignment Team: "Use CVE-2016-10173 for both minitar and archive-tar-minitar".
Comment 10 Bernhard Wiedemann 2017-01-30 11:02:10 UTC
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453406 42.2 / rubygem-minitar
https://build.opensuse.org/request/show/453408 42.1+42.2 / rubygem-archive-tar-minitar
Comment 12 Swamp Workflow Management 2017-02-09 11:07:10 UTC
openSUSE-SU-2017:0429-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
Sources used:
openSUSE Leap 42.2 (src):    rubygem-minitar-0.5.4-3.1
Comment 13 Valentin Rothberg 2017-10-02 13:27:39 UTC
Closing the bug as the SRs have been accepted.
Comment 16 Alexander Bergmann 2018-06-06 12:20:43 UTC
Not yet fixed in openSUSE:Leap:42.3.
Comment 17 Alexander Bergmann 2018-06-06 12:32:43 UTC
The openSUSE Leap 42.3 submission is handled inside SUSE:Maintenance:4085 / SUSE:SLE-12:Update that is currently on hold.
Comment 18 Marcus Meissner 2021-01-09 08:20:24 UTC
released, leap 42.3 is eol
Comment 19 Swamp Workflow Management 2021-01-13 20:20:33 UTC
SUSE-SU-2021:0115-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    rubygem-archive-tar-minitar-0.5.2-7.3.65

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.