[DRE-commits] [ruby-mixlib-archive] 01/02: Prevent directory traversal attack CVE-2017-1000026 (Closes: #868572)
Hleb Valoshka
tsfgnu-guest at moszumanska.debian.org
Mon Jul 17 14:43:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
tsfgnu-guest pushed a commit to branch stretch
in repository ruby-mixlib-archive.
commit d3ec6baf50f1236fa41d74eb242a2d72bfed4fe6
Author: Hleb Valoshka <375gnu at gmail.com>
Date: Mon Jul 17 17:42:25 2017 +0300
Prevent directory traversal attack CVE-2017-1000026 (Closes: #868572)
---
debian/gbp.conf | 2 ++
.../0002-Prevent-directory-traversal-attack.patch | 41 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 44 insertions(+)
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..ee4e7df
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch=stretch
diff --git a/debian/patches/0002-Prevent-directory-traversal-attack.patch b/debian/patches/0002-Prevent-directory-traversal-attack.patch
new file mode 100644
index 0000000..09ee5d9
--- /dev/null
+++ b/debian/patches/0002-Prevent-directory-traversal-attack.patch
@@ -0,0 +1,41 @@
+From: Hleb Valoshka <375gnu at gmail.com>
+Date: Mon, 17 Jul 2017 17:35:45 +0300
+Subject: Prevent directory traversal attack
+
+---
+ lib/mixlib/archive.rb | 2 ++
+ spec/mixlib/archive_spec.rb | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/mixlib/archive.rb b/lib/mixlib/archive.rb
+index 478cd96..d22224e 100644
+--- a/lib/mixlib/archive.rb
++++ b/lib/mixlib/archive.rb
+@@ -21,6 +21,8 @@ module Mixlib
+ Log.level = :error
+
+ def extract(destination, perms: true, ignore: [])
++ ignore = [/^\.$/, /\.{2}/] + ignore
++
+ create_and_empty(destination)
+
+ extractor.extract(destination, perms: perms, ignore: ignore)
+diff --git a/spec/mixlib/archive_spec.rb b/spec/mixlib/archive_spec.rb
+index 2d9b7a7..2055034 100644
+--- a/spec/mixlib/archive_spec.rb
++++ b/spec/mixlib/archive_spec.rb
+@@ -44,12 +44,12 @@ describe Mixlib::Archive do
+ end
+
+ it "runs the extractor" do
+- expect(extractor).to receive(:extract).with(destination, { perms: true, ignore: [] })
++ expect(extractor).to receive(:extract).with(destination, { perms: true, ignore: [/^\.$/, /\.{2}/] })
+ archive.extract(destination)
+ end
+
+ it "passes options to the extractor" do
+- expect(extractor).to receive(:extract).with(destination, { perms: false, ignore: [] })
++ expect(extractor).to receive(:extract).with(destination, { perms: false, ignore: [/^\.$/, /\.{2}/] })
+ archive.extract(destination, perms: false)
+ end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 7d36bb6..f423877 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Require-tmpdir-in-specs-clean-load_path.patch
+0002-Prevent-directory-traversal-attack.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-mixlib-archive.git
More information about the Pkg-ruby-extras-commits
mailing list