8000 Directory traversal vulnerability · Issue #315 · rubyzip/rubyzip · GitHub
[go: up one dir, main page]
Skip to content

Directory traversal vulnerability #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ecneladis opened this issue Feb 4, 2017 · 2 comments
Closed

Directory traversal vulnerability #315

ecneladis opened this issue Feb 4, 2017 · 2 comments

Comments

@ecneladis
Copy link

Overview

Rubyzip module allows to overwrite or create arbitrary files via relative filenames and thus executing malicious code, e.g. by writing to /etc/ld.so.preload, ~/.bashrc etc.

Proof of concept:

>> unzip traversal.zip
Archive:  traversal.zip
warning:  skipped "../" path component(s) in ../../../../../../../../../../../../../../tmp/zip_attack123
  inflating: tmp/zip_attack123

>> ls -al /tmp/zip_attack123
ls: cannot access '/tmp/zip_attack123': No such file or directory

>> ruby rubyzip_test_traversal.rb
Invalid date/time in zip entry
Extracting ../../../../../../../../../../../../../../tmp/zip_attack123
Invalid date/time in zip entry
>> ls -al /tmp/zip_attack123
-rw-r--r-- 1 anon wheel 11 Jan 31 23:24 /tmp/zip_attack123

rubyzip_test_traversal.rb:

require 'zip'

Zip::File.open('traversal.zip') do |zip_file|
  # Handle entries one by one
  zip_file.each do |entry|
    # Extract to file/directory/symlink
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

Vulnerable version and test environment

>> uname -rsv
Darwin 16.3.0 Darwin Kernel Version 16.3.0: Thu Nov 17 20:23:58 PST 2016; root:xnu-3789.31.2~1/RELEASE_X86_64
>> ruby --version
ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-darwin16]
>> gem list | grep zip
rubyzip (1.2.0)

Analogous vulnerability in minitar gem: halostatue/minitar#16
@simonoff
Copy link
Member
simonoff commented Feb 4, 2017

@ecneladis thank you for your report. I will review it tomorrow and will try to fix.

@phillycheeze
Copy link

Since this is a significant vulnerability, I have assigned a CVE ID to this issue.

CVE-2017-5946

@SebastianSzturo SebastianSzturo mentioned this issue Mar 2, 2017
Closed
dentarg added a commit to dentarg/extensionator that referenced this issue Mar 2, 2017
@dentarg
Update rubyzip dependency
a0d85e8 
rubyzip v1.2.1 fixes a security vulnerability: rubyzip/rubyzip#315

See https://github.com/rubyzip/rubyzip/releases/tag/v1.2.1 for additional changes.
@dentarg dentarg mentioned this issue Mar 2, 2017
Merged
@zillou zillou mentioned this issue Mar 3, 2017
Closed
@fabn fabn mentioned this issue Mar 3, 2017
Closed
amatriain added a commit to amatriain/feedbunch that referenced this issue Mar 6, 2017
@amatriain
Update rubyzip gem 1.2.0 -> 1.2.1
cb57a42 
This fixes a directory traversal vulnerability, see rubyzip/rubyzip#315
@shopify-services shopify-services mentioned this issue Mar 6, 2017
Closed
TrevorBramble added a commit to cwebberOps/restforce-bulk that referenced this issue Mar 8, 2017
@TrevorBramble
Loosen rubyzip dependency's version constraint
0023685 
There is a [published security
vulnerability](rubyzip/rubyzip#315) in rubyzip
that requires upgrading it, but the prior version constraint did not
allow updating minor versions.

This change raises the minimum version of rubyzip to include the
vulnerability patch and drops the patch version from the constraint to
allow minor version updates.
@TrevorBramble TrevorBramble mentioned this issue Mar 8, 2017
Merged
joshpencheon pushed a commit to NHSDigital/ndr_import that referenced this issue Mar 8, 2017
# bump rubyzip to 1.2.1, to address traversal CVE (rubyzip/rubyzip#315)
85585cd
joshpencheon pushed a commit to NHSDigital/ndr_import that referenced this issue Mar 8, 2017
# bump rubyzip to 1.2.1, to address traversal CVE (rubyzip/rubyzip#315)
c84ea01
aliuk2012 pushed a commit to ministryofjustice/correspondence_tool_public that referenced this issue Mar 24, 2017
CT-567 Update rubyzip
a79a6a2 
Code Climate identified a security flaw with a gem our service
was using.

Code Climate Notice:

Advisory: CVE-2017-5946

URL: rubyzip/rubyzip#315

Solution: upgrade to >= 1.2.1
@aliuk2012 aliuk2012 mentioned this issue Mar 24, 2017
Merged
aliuk2012 pushed a commit to ministryofjustice/correspondence_tool_public that referenced this issue Mar 24, 2017
@aliuk2012
CT-567 Update rubyzip
2d8ba47 
Code Climate identified a security flaw with a gem our service
was using.

Code Climate Notice:

Advisory: CVE-2017-5946

URL: rubyzip/rubyzip#315

Solution: upgrade to >= 1.2.1
This was referenced Mar 27, 2017
Closed
Closed
rap1ds added a commit to sharetribe/sharetribe that referenced this issue Apr 21, 2017
@rap1ds
Security: Update rubyzip to 1.2.1
110628d 
Read more:

rubyzip/rubyzip#315
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5946.html
@rap1ds rap1ds mentioned this issue Apr 21, 2017
Merged
@vtamara vtamara mentioned this issue Jul 3, 2017
Closed
@shopify-services shopify-services mentioned this issue Jul 26, 2017
Closed
@perlun perlun mentioned this issue Jul 27, 2017
Closed
rakvium added a commit to rakvium/blog that referenced this issue Oct 4, 2017
@rakvium
Fix rubyzip directory traversal vulnerability
232e840 
Name: rubyzip
Version: 0.9.9
Advisory: CVE-2017-5946
Criticality: Unknown
URL: rubyzip/rubyzip#315
Title: Directory traversal vulnerability in rubyzip
Solution: upgrade to >= 1.2.1
@edymerchk edymerchk mentioned this issue Oct 4, 2017
Closed
PratheepV added a commit to PratheepV/docx that referenced this issue Nov 1, 2017
@PratheepV
Upgrading rubyzip for rubyzip/rubyzip#315
990b4f5 
Upgrading rubyzip for rubyzip/rubyzip#315
@PratheepV PratheepV mentioned this issue Nov 1, 2017
Closed
@trevorthornton trevorthornton mentioned this issue Dec 14, 2017
Closed
@michaelglass michaelglass mentioned this issue Jan 4, 2018
Closed
1 task
@attritionorg attritionorg mentioned this issue Feb 24, 2018
Closed
joshpencheon pushed a commit to NHSDigital/ndr_import that referenced this issue Mar 12, 2018
@joshpencheon
# bump rubyzip to 1.2.1, to address traversal CVE (rubyzip/rubyzip#315)
bd53fc8
@allewun allewun mentioned this issue May 24, 2018
Merged
4 tasks
@glebglazov glebglazov mentioned this issue Jun 8, 2018
Closed
@tuzovakaoff tuzovakaoff mentioned this issue Jun 14, 2018
Closed
@dannote dannote mentioned this issue Sep 10, 2018
Merged
@anshizzle anshizzle mentioned this issue Dec 11, 2018
Merged
niedfelj pushed a commit to niedfelj/qualtrics that referenced this issue Jun 2, 2020
@NickHurst
Merge branch 'dev' into 'master'
6564c04 
Fixes RubyZip vulnerability

There was a vulnerability found in `rubyzip` gem ([github issue](rubyzip/rubyzip#315)). This was fixed by updated the dependency to version `1.2.1` which fixes the vulnerability.

See merge request !1
@baburdick baburdick mentioned this issue Nov 11, 2021
Open
@wonda-tea-coffee wonda-tea-coffee mentioned this issue Nov 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonoff @phillycheeze @ecneladis
0