Bug 1021740 - (CVE-2016-10173) VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: directory traversal vulnerability
(CVE-2016-10173)
VUL-1: CVE-2016-10173: rubygem-minitar,rubygem-archive-tar-minitar: director...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/179084/
CVSSv2:NVD:CVE-2016-10173:5.0:(AV:N/A...
:
Depends on:
Blocks: 1096174
  Show dependency treegraph
 
Reported: 2017-01-24 21:20 UTC by Mikhail Kasimov
Modified: 2021-01-13 20:20 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proposed patch (534 bytes, patch)
2017-01-27 17:37 UTC, Jordi Massaguer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-24 21:20:16 UTC
Ref: http://seclists.org/oss-sec/2017/q1/178
=====================================================
Rubygem minitar allows attackers to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

Issue:
https://github.com/halostatue/minitar/issues/16

Upstream patch:
https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

The same issue exists in rubygem archive-tar-minitar

I believe they're based on the same codebase, and minitar is the officially
supported fork, so I'm not sure if this warrants two CVEs or just one.

Thanks,
--
Max Veytsman
Co-founder appcanary.com
@mveytsman <https://twitter.com/mveytsman>
=====================================================

https://software.opensuse.org/package/rubygem-minitar
https://software.opensuse.org/package/ruby2.1-rubygem-minitar
https://software.opensuse.org/package/rubygem-archive-tar-minitar
https://software.opensuse.org/package/ruby2.1-rubygem-archive-tar-minitar
Comment 1 Swamp Workflow Management 2017-01-24 23:02:04 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-25 09:50:55 UTC
openSUSE:Leap:42.1:Update/rubygem-archive-tar-minitar
openSUSE:Leap:42.2:Update/rubygem-archive-tar-minitar
openSUSE Leap 42.2 rubygem-minitar
Comment 5 Jordi Massaguer 2017-01-27 17:37:29 UTC
Created attachment 711945 [details]
proposed patch

Minimal patch for version 0.5.2 (rubygem-archive-tar-minitar) and for version 0.5.4 (rubygem-minitar)
Comment 6 Jordi Massaguer 2017-01-27 19:00:20 UTC
assigning to security team. All requests have been submitted.
Comment 7 Bernhard Wiedemann 2017-01-27 19:02:05 UTC
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453014 42.1+42.2 / rubygem-archive-tar-minitar
Comment 9 Mikhail Kasimov 2017-01-29 12:10:17 UTC
CVE Assignment Team: "Use CVE-2016-10173 for both minitar and archive-tar-minitar".
Comment 10 Bernhard Wiedemann 2017-01-30 11:02:10 UTC
This is an autogenerated message for OBS integration:
This bug (1021740) was mentioned in
https://build.opensuse.org/request/show/453406 42.2 / rubygem-minitar
https://build.opensuse.org/request/show/453408 42.1+42.2 / rubygem-archive-tar-minitar
Comment 12 Swamp Workflow Management 2017-02-09 11:07:10 UTC
openSUSE-SU-2017:0429-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
Sources used:
openSUSE Leap 42.2 (src):    rubygem-minitar-0.5.4-3.1
Comment 13 Valentin Rothberg 2017-10-02 13:27:39 UTC
Closing the bug as the SRs have been accepted.
Comment 16 Alexander Bergmann 2018-06-06 12:20:43 UTC
Not yet fixed in openSUSE:Leap:42.3.
Comment 17 Alexander Bergmann 2018-06-06 12:32:43 UTC
The openSUSE Leap 42.3 submission is handled inside SUSE:Maintenance:4085 / SUSE:SLE-12:Update that is currently on hold.
Comment 18 Marcus Meissner 2021-01-09 08:20:24 UTC
released, leap 42.3 is eol
Comment 19 Swamp Workflow Management 2021-01-13 20:20:33 UTC
SUSE-SU-2021:0115-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021740
CVE References: CVE-2016-10173
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    rubygem-archive-tar-minitar-0.5.2-7.3.65

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.