New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Several directory traversal vulnerabilities #369
Comments
|
CVE-2018-1000544 was assigned to this issue. |
Merged
zammad-sync
pushed a commit
to zammad/zammad
that referenced
this issue
Aug 27, 2018
…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).
zammad-sync
pushed a commit
to zammad/zammad
that referenced
this issue
Aug 27, 2018
…ubyzip/rubyzip#369) which only affects test env (selenium-webdriver dependency) until it's resolved (rubyzip/rubyzip#376).
mkdynamic
added a commit
to delighted/rubyzip
that referenced
this issue
Aug 28, 2018
mkdynamic
added a commit
to delighted/roo
that referenced
this issue
Aug 28, 2018
|
Hi, I think that this fix is inadequate. $ zipinfo absolutepath.zip
Archive: absolutepath.zip
Zip file size: 289 bytes, number of entries: 2
drwxr-xr-x 2.1 unx 0 bx stor 18-Jun-14 05:13 /tmp/
-rw-r--r-- 2.1 unx 5 bX defN 18-Jun-14 05:13 /tmp/file.txt
2 files, 5 bytes uncompressed, 7 bytes compressed: -40.0%require 'zip'
Zip::File.open("./absolutepath.zip") do |zip_file|
zip_file.each do |entry|
puts "Extracting #{entry.name}"
# entry.extract(File.join(test_path, entry.name))
entry.extract(entry.name)
end
endI think that If not specify the destination directory, it should be expanded to the current directory. |
walro
added a commit
to walro/extensionator
that referenced
this issue
Sep 3, 2018
rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369
tdg5
pushed a commit
to Zensight/extensionator
that referenced
this issue
Sep 4, 2018
* Update rubyzip dependency rubyzip 1.2.2 includes the fix for CVE-2018-1000544: rubyzip/rubyzip#369 * Update Gemfile.lock to be consistent with the gemspec
shtakai
added a commit
to shtakai/rspec-retrospective
that referenced
this issue
Sep 4, 2018
I am not sure that `bundle audit` said about `rubyzip', but `github` alerted about 'ffi'. So that I did `bundle update ffi --conservative`. ``` Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: remove or disable this gem until a patch is available! Vulnerabilities found! ```
waterjump
added a commit
to mes/axlsx
that referenced
this issue
Sep 7, 2018
The rubyzip gem version 1.2.1 contains a security vulnerability allowing absolute path traversal. More details can be found here: rubyzip/rubyzip#369 This change addresses the issue by specifying a rubyzip version greater than or equal to 1.2.2. Solves issue randym#599
AdrianCann
added a commit
to sophomoric/secret
that referenced
this issue
Oct 14, 2018
ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
AdrianCann
added a commit
to sophomoric/secret
that referenced
this issue
Oct 14, 2018
ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
AdrianCann
added a commit
to sophomoric/secret
that referenced
this issue
Oct 14, 2018
ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
wmfgerrit
pushed a commit
to wikimedia/mediawiki-vagrant
that referenced
this issue
Nov 27, 2018
From bundle-audit: Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2 Upgrade: | ffi | 1.9.18 -> 1.9.25 | rubyzip | 1.2.1 -> 1.2.2 Bug: T209940 Change-Id: I3da41a964ff1128a4cbba3c05976cfcfca2d731f
Koronen
added a commit
to Koronen/koronen.github.io
that referenced
this issue
Jan 22, 2019
Address a couple of CVEs (as reported by `bundler-audit`).
Name: ffi
Version: 1.9.23
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5
Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
This issue is similar to already closed #315 but I found two ways to bypass that fix.
You can find files for tests in https://github.com/tuzovakaoff/zip_path_traversal
Proof of concept:
rubyzip.rb
1. Files with absolute path
UnZip strips absolute path
rubyzip extracts files with absolute path
2. Archive with symbolic link
UnZip extracts only symbolic link
rubyzip extracts symbolic link and puts file into
/tmpfolderVulnerable version and test environment
The text was updated successfully, but these errors were encountered: