Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal vulnerability #315

Closed
ecneladis opened this issue Feb 4, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@ecneladis
Copy link

commented Feb 4, 2017

Overview

Rubyzip module allows to overwrite or create arbitrary files via relative filenames and thus executing malicious code, e.g. by writing to /etc/ld.so.preload, ~/.bashrc etc.

Proof of concept:

>> unzip traversal.zip
Archive:  traversal.zip
warning:  skipped "../" path component(s) in ../../../../../../../../../../../../../../tmp/zip_attack123
  inflating: tmp/zip_attack123

>> ls -al /tmp/zip_attack123
ls: cannot access '/tmp/zip_attack123': No such file or directory

>> ruby rubyzip_test_traversal.rb
Invalid date/time in zip entry
Extracting ../../../../../../../../../../../../../../tmp/zip_attack123
Invalid date/time in zip entry
>> ls -al /tmp/zip_attack123
-rw-r--r-- 1 anon wheel 11 Jan 31 23:24 /tmp/zip_attack123

rubyzip_test_traversal.rb:

require 'zip'

Zip::File.open('traversal.zip') do |zip_file|
  # Handle entries one by one
  zip_file.each do |entry|
    # Extract to file/directory/symlink
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

Vulnerable version and test environment

>> uname -rsv
Darwin 16.3.0 Darwin Kernel Version 16.3.0: Thu Nov 17 20:23:58 PST 2016; root:xnu-3789.31.2~1/RELEASE_X86_64
>> ruby --version
ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-darwin16]
>> gem list | grep zip
rubyzip (1.2.0)

Analogous vulnerability in minitar gem: halostatue/minitar#16

@simonoff

This comment has been minimized.

Copy link
Member

commented Feb 4, 2017

@ecneladis thank you for your report. I will review it tomorrow and will try to fix.

@simonoff simonoff closed this in ce4208f Feb 8, 2017

@phillycheeze

This comment has been minimized.

Copy link

commented Feb 13, 2017

Since this is a significant vulnerability, I have assigned a CVE ID to this issue.

CVE-2017-5946

dentarg added a commit to dentarg/extensionator that referenced this issue Mar 2, 2017

Update rubyzip dependency
rubyzip v1.2.1 fixes a security vulnerability: rubyzip/rubyzip#315

See https://github.com/rubyzip/rubyzip/releases/tag/v1.2.1 for additional changes.

@zillou zillou referenced this issue Mar 3, 2017

Closed

Allow newer rubyzip #9

amatriain added a commit to amatriain/feedbunch that referenced this issue Mar 6, 2017

Update rubyzip gem 1.2.0 -> 1.2.1
This fixes a directory traversal vulnerability, see rubyzip/rubyzip#315

TrevorBramble added a commit to cwebberOps/restforce-bulk that referenced this issue Mar 8, 2017

Loosen rubyzip dependency's version constraint
There is a [published security
vulnerability](rubyzip/rubyzip#315) in rubyzip
that requires upgrading it, but the prior version constraint did not
allow updating minor versions.

This change raises the minimum version of rubyzip to include the
vulnerability patch and drops the patch version from the constraint to
allow minor version updates.

joshpencheon pushed a commit to PublicHealthEngland/ndr_import that referenced this issue Mar 8, 2017

joshpencheon pushed a commit to PublicHealthEngland/ndr_import that referenced this issue Mar 8, 2017

aliuk2012 pushed a commit to ministryofjustice/correspondence_tool_public that referenced this issue Mar 24, 2017

Alistair Laing Alistair Laing
CT-567 Update rubyzip
Code Climate identified a security flaw with a gem our service
was using.

Code Climate Notice:

Advisory: CVE-2017-5946

URL: rubyzip/rubyzip#315

Solution: upgrade to >= 1.2.1

aliuk2012 added a commit to ministryofjustice/correspondence_tool_public that referenced this issue Mar 24, 2017

CT-567 Update rubyzip
Code Climate identified a security flaw with a gem our service
was using.

Code Climate Notice:

Advisory: CVE-2017-5946

URL: rubyzip/rubyzip#315

Solution: upgrade to >= 1.2.1

rap1ds added a commit to sharetribe/sharetribe that referenced this issue Apr 21, 2017

davidbl added a commit to doximity/neography that referenced this issue Jun 2, 2017

update rubyzip dependency
rubyzip had a security vulnerability that was corrected
in version 1.2.1
rubyzip/rubyzip#315

rakvium added a commit to rakvium/blog that referenced this issue Oct 4, 2017

Fix rubyzip directory traversal vulnerability
Name: rubyzip
Version: 0.9.9
Advisory: CVE-2017-5946
Criticality: Unknown
URL: rubyzip/rubyzip#315
Title: Directory traversal vulnerability in rubyzip
Solution: upgrade to >= 1.2.1

@edymerchk edymerchk referenced this issue Oct 4, 2017

Closed

Update rubyzip #10

PratheepV added a commit to PratheepV/docx that referenced this issue Nov 1, 2017

patbl added a commit to patbl/capistrano-middleman that referenced this issue Feb 8, 2018

Loosen version requirement for Rubyzip
This allows you to use a version that has a fix for this security
vulnerability: rubyzip/rubyzip#315

The vulnerability doesn't affect static sites, but GitHub's security
alerting system doesn't know that.

Here's the changelog: https://github.com/rubyzip/rubyzip/blob/2f80da6289d8a407b37b0782b09aabfdd3420240/Changelog.md#121

Fixes fedux-org-attic#7.

joshpencheon added a commit to PublicHealthEngland/ndr_import that referenced this issue Mar 12, 2018

@allewun allewun referenced this issue May 24, 2018

Merged

[gemspec] use rubyzip >= 1.2.1 #12615

4 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.