[DRE-commits] [ruby-minitar] 01/01: Import Debian changes 0.5.4-3.1

Antonio Terceiro terceiro at moszumanska.debian.org
Tue Jan 31 17:39:06 UTC 2017


This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch master
in repository ruby-minitar.

commit 019effe79d6b766f20de5d7562b22067c1f755e9
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Mon Jan 30 07:00:07 2017 +0100

    Import Debian changes 0.5.4-3.1
    
    ruby-minitar (0.5.4-3.1) unstable; urgency=high
    
      * Non-maintainer upload.
      * CVE-2016-10173: directory traversal vulnerability (Closes: #853075)
---
 debian/.gitignore                   |  5 -----
 debian/changelog                    |  7 +++++++
 debian/control                      |  2 +-
 debian/patches/CVE-2016-10173.patch | 22 ++++++++++++++++++++++
 debian/patches/series               |  1 +
 debian/rules                        | 11 ++++-------
 6 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/debian/.gitignore b/debian/.gitignore
deleted file mode 100644
index e2db936..0000000
--- a/debian/.gitignore
+++ /dev/null
@@ -1,5 +0,0 @@
-files
-ruby-minitar
-ruby-archive-tar-minitar
-*.debhelper.log
-*.substvars
diff --git a/debian/changelog b/debian/changelog
index 9011b78..27b7fe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-minitar (0.5.4-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2016-10173: directory traversal vulnerability (Closes: #853075)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 30 Jan 2017 07:00:07 +0100
+
 ruby-minitar (0.5.4-3) unstable; urgency=medium
 
   * [817a137] Move VCS to pkg-ruby-extras
diff --git a/debian/control b/debian/control
index 97fe5a5..f49f026 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,7 @@ Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers at lists.al
 Uploaders: Markus Frosch <lazyfrosch at debian.org>
 Build-Depends: debhelper (>= 9~),
                gem2deb
-Standards-Version: 3.9.7
+Standards-Version: 3.9.6
 Vcs-Git: https://anonscm.debian.org/git/pkg-ruby-extras/ruby-minitar.git
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-minitar.git
 Homepage: http://www.github.com/atoulme/minitar
diff --git a/debian/patches/CVE-2016-10173.patch b/debian/patches/CVE-2016-10173.patch
new file mode 100644
index 0000000..ae9efb9
--- /dev/null
+++ b/debian/patches/CVE-2016-10173.patch
@@ -0,0 +1,22 @@
+Description: CVE-2016-10173: directory traversal vulnerability
+Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945
+Bug: https://github.com/halostatue/minitar/issues/16
+Bug-Debian: https://bugs.debian.org/853075
+Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
+Forwarded: not-needed
+Author: Jordi Massaguer
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2017-01-30
+
+--- a/lib/archive/tar/minitar.rb	
++++ a/lib/archive/tar/minitar.rb	
+@@ -975,6 +975,9 @@ module Archive::Tar::Minitar
+         end
+ 
+         inp.each do |entry|
++            if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++              raise entry.full_name + " Error path contains .."
++            end
+           if files.empty? or files.include?(entry.full_name)
+             inp.extract_entry(dest, entry, &block)
+           end
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7c8eced
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-10173.patch
diff --git a/debian/rules b/debian/rules
index 59eddd8..29f88eb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,10 +12,7 @@ VERSION := $(shell echo '$(DEBVERS)' | sed -e 's/^[[:digit:]]*://' -e 's/[~-].*/
 override_dh_install:
 	dh_install
 	# create gemspec for ruby-archive-tar-minitar
-	for path in `find debian/ruby-minitar/usr/share/rubygems-integration -name *.gemspec`; do\
-		spec=`basename "$$path"`; \
-		target="debian/ruby-archive-tar-minitar/"`dirname $${path#debian/ruby-minitar/}`; \
-		mkdir -p "$$target"; \
-		sed -e 's/s\.name = "minitar"/s.name = "ruby-archive-tar-minitar"/' \
-			"$$path" > "$$target"/"ruby-archive-tar-$$spec"; \
-	done
+	mkdir -p debian/ruby-archive-tar-minitar/$(GEMSPECPATH)/
+	sed -e 's/s\.name = "minitar"/s.name = "ruby-archive-tar-minitar"/' \
+	  debian/ruby-minitar/$(GEMSPECPATH)/minitar-$(VERSION).gemspec \
+	  > debian/ruby-archive-tar-minitar/$(GEMSPECPATH)/ruby-archive-tar-minitar-$(VERSION).gemspec

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-minitar.git



More information about the Pkg-ruby-extras-commits mailing list