[DRE-commits] [ruby-minitar] 01/01: Import Debian changes 0.5.4-3.1
Antonio Terceiro
terceiro at moszumanska.debian.org
Tue Jan 31 17:39:06 UTC 2017
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master
in repository ruby-minitar.
commit 019effe79d6b766f20de5d7562b22067c1f755e9
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Mon Jan 30 07:00:07 2017 +0100
Import Debian changes 0.5.4-3.1
ruby-minitar (0.5.4-3.1) unstable; urgency=high
* Non-maintainer upload.
* CVE-2016-10173: directory traversal vulnerability (Closes: #853075)
---
debian/.gitignore | 5 -----
debian/changelog | 7 +++++++
debian/control | 2 +-
debian/patches/CVE-2016-10173.patch | 22 ++++++++++++++++++++++
debian/patches/series | 1 +
debian/rules | 11 ++++-------
6 files changed, 35 insertions(+), 13 deletions(-)
diff --git a/debian/.gitignore b/debian/.gitignore
deleted file mode 100644
index e2db936..0000000
--- a/debian/.gitignore
+++ /dev/null
@@ -1,5 +0,0 @@
-files
-ruby-minitar
-ruby-archive-tar-minitar
-*.debhelper.log
-*.substvars
diff --git a/debian/changelog b/debian/changelog
index 9011b78..27b7fe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-minitar (0.5.4-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2016-10173: directory traversal vulnerability (Closes: #853075)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Mon, 30 Jan 2017 07:00:07 +0100
+
ruby-minitar (0.5.4-3) unstable; urgency=medium
* [817a137] Move VCS to pkg-ruby-extras
diff --git a/debian/control b/debian/control
index 97fe5a5..f49f026 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,7 @@ Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers at lists.al
Uploaders: Markus Frosch <lazyfrosch at debian.org>
Build-Depends: debhelper (>= 9~),
gem2deb
-Standards-Version: 3.9.7
+Standards-Version: 3.9.6
Vcs-Git: https://anonscm.debian.org/git/pkg-ruby-extras/ruby-minitar.git
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-minitar.git
Homepage: http://www.github.com/atoulme/minitar
diff --git a/debian/patches/CVE-2016-10173.patch b/debian/patches/CVE-2016-10173.patch
new file mode 100644
index 0000000..ae9efb9
--- /dev/null
+++ b/debian/patches/CVE-2016-10173.patch
@@ -0,0 +1,22 @@
+Description: CVE-2016-10173: directory traversal vulnerability
+Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945
+Bug: https://github.com/halostatue/minitar/issues/16
+Bug-Debian: https://bugs.debian.org/853075
+Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
+Forwarded: not-needed
+Author: Jordi Massaguer
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2017-01-30
+
+--- a/lib/archive/tar/minitar.rb
++++ a/lib/archive/tar/minitar.rb
+@@ -975,6 +975,9 @@ module Archive::Tar::Minitar
+ end
+
+ inp.each do |entry|
++ if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++ raise entry.full_name + " Error path contains .."
++ end
+ if files.empty? or files.include?(entry.full_name)
+ inp.extract_entry(dest, entry, &block)
+ end
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7c8eced
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-10173.patch
diff --git a/debian/rules b/debian/rules
index 59eddd8..29f88eb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,10 +12,7 @@ VERSION := $(shell echo '$(DEBVERS)' | sed -e 's/^[[:digit:]]*://' -e 's/[~-].*/
override_dh_install:
dh_install
# create gemspec for ruby-archive-tar-minitar
- for path in `find debian/ruby-minitar/usr/share/rubygems-integration -name *.gemspec`; do\
- spec=`basename "$$path"`; \
- target="debian/ruby-archive-tar-minitar/"`dirname $${path#debian/ruby-minitar/}`; \
- mkdir -p "$$target"; \
- sed -e 's/s\.name = "minitar"/s.name = "ruby-archive-tar-minitar"/' \
- "$$path" > "$$target"/"ruby-archive-tar-$$spec"; \
- done
+ mkdir -p debian/ruby-archive-tar-minitar/$(GEMSPECPATH)/
+ sed -e 's/s\.name = "minitar"/s.name = "ruby-archive-tar-minitar"/' \
+ debian/ruby-minitar/$(GEMSPECPATH)/minitar-$(VERSION).gemspec \
+ > debian/ruby-archive-tar-minitar/$(GEMSPECPATH)/ruby-archive-tar-minitar-$(VERSION).gemspec
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-minitar.git
More information about the Pkg-ruby-extras-commits
mailing list