Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal vulnerability #315

Closed
ecneladis opened this issue Feb 4, 2017 · 2 comments
Closed

Directory traversal vulnerability #315

ecneladis opened this issue Feb 4, 2017 · 2 comments

Comments

@ecneladis
Copy link

@ecneladis ecneladis commented Feb 4, 2017

Overview

Rubyzip module allows to overwrite or create arbitrary files via relative filenames and thus executing malicious code, e.g. by writing to /etc/ld.so.preload, ~/.bashrc etc.

Proof of concept:

>> unzip traversal.zip
Archive:  traversal.zip
warning:  skipped "../" path component(s) in ../../../../../../../../../../../../../../tmp/zip_attack123
  inflating: tmp/zip_attack123

>> ls -al /tmp/zip_attack123
ls: cannot access '/tmp/zip_attack123': No such file or directory

>> ruby rubyzip_test_traversal.rb
Invalid date/time in zip entry
Extracting ../../../../../../../../../../../../../../tmp/zip_attack123
Invalid date/time in zip entry
>> ls -al /tmp/zip_attack123
-rw-r--r-- 1 anon wheel 11 Jan 31 23:24 /tmp/zip_attack123

rubyzip_test_traversal.rb:

require 'zip'

Zip::File.open('traversal.zip') do |zip_file|
  # Handle entries one by one
  zip_file.each do |entry|
    # Extract to file/directory/symlink
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

Vulnerable version and test environment

>> uname -rsv
Darwin 16.3.0 Darwin Kernel Version 16.3.0: Thu Nov 17 20:23:58 PST 2016; root:xnu-3789.31.2~1/RELEASE_X86_64
>> ruby --version
ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-darwin16]
>> gem list | grep zip
rubyzip (1.2.0)

Analogous vulnerability in minitar gem: halostatue/minitar#16

@simonoff
Copy link
Member

@simonoff simonoff commented Feb 4, 2017

@ecneladis thank you for your report. I will review it tomorrow and will try to fix.

@simonoff simonoff closed this in ce4208f Feb 8, 2017
@phillycheeze
Copy link

@phillycheeze phillycheeze commented Feb 13, 2017

Since this is a significant vulnerability, I have assigned a CVE ID to this issue.

CVE-2017-5946

dentarg added a commit to dentarg/extensionator that referenced this issue Mar 2, 2017
rubyzip v1.2.1 fixes a security vulnerability: rubyzip/rubyzip#315

See https://github.com/rubyzip/rubyzip/releases/tag/v1.2.1 for additional changes.
amatriain added a commit to amatriain/feedbunch that referenced this issue Mar 6, 2017
This fixes a directory traversal vulnerability, see rubyzip/rubyzip#315
TrevorBramble added a commit to cwebberOps/restforce-bulk that referenced this issue Mar 8, 2017
There is a [published security
vulnerability](rubyzip/rubyzip#315) in rubyzip
that requires upgrading it, but the prior version constraint did not
allow updating minor versions.

This change raises the minimum version of rubyzip to include the
vulnerability patch and drops the patch version from the constraint to
allow minor version updates.
joshpencheon pushed a commit to publichealthengland/ndr_import that referenced this issue Mar 8, 2017
joshpencheon pushed a commit to publichealthengland/ndr_import that referenced this issue Mar 8, 2017
aliuk2012 pushed a commit to ministryofjustice/correspondence_tool_public that referenced this issue Mar 24, 2017
Code Climate identified a security flaw with a gem our service
was using.

Code Climate Notice:

Advisory: CVE-2017-5946

URL: rubyzip/rubyzip#315

Solution: upgrade to >= 1.2.1
aliuk2012 added a commit to ministryofjustice/correspondence_tool_public that referenced this issue Mar 24, 2017
Code Climate identified a security flaw with a gem our service
was using.

Code Climate Notice:

Advisory: CVE-2017-5946

URL: rubyzip/rubyzip#315

Solution: upgrade to >= 1.2.1
rap1ds added a commit to sharetribe/sharetribe that referenced this issue Apr 21, 2017
davidbl added a commit to doximity/neography that referenced this issue Jun 2, 2017
rubyzip had a security vulnerability that was corrected
in version 1.2.1
rubyzip/rubyzip#315
rakvium added a commit to rakvium/blog that referenced this issue Oct 4, 2017
Name: rubyzip
Version: 0.9.9
Advisory: CVE-2017-5946
Criticality: Unknown
URL: rubyzip/rubyzip#315
Title: Directory traversal vulnerability in rubyzip
Solution: upgrade to >= 1.2.1
PratheepV added a commit to PratheepV/docx that referenced this issue Nov 1, 2017
joshpencheon added a commit to publichealthengland/ndr_import that referenced this issue Mar 12, 2018
niedfelj pushed a commit to niedfelj/qualtrics that referenced this issue Jun 2, 2020
Fixes RubyZip vulnerability

There was a vulnerability found in `rubyzip` gem ([github issue](rubyzip/rubyzip#315)). This was fixed by updated the dependency to version `1.2.1` which fixes the vulnerability.

See merge request !1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants