[DRE-commits] [ruby-zip] 01/01: Import Debian changes 1.1.6-1+deb8u1
Antonio Terceiro
terceiro at moszumanska.debian.org
Fri Mar 3 20:46:25 UTC 2017
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch debian/jessie
in repository ruby-zip.
commit 3910fba30ccad2b62ee134c2f2da0adb1b16cee0
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Mar 3 07:21:15 2017 +0100
Import Debian changes 1.1.6-1+deb8u1
ruby-zip (1.1.6-1+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
[ Antonio Terceiro ]
* debian/patches/ftbfs-jessie.patch: fix build failure on jessie
[ Salvatore Bonaccorso ]
* CVE-2017-5946: directory traversal vulnerability in Zip::File component
(Closes: #856269)
ruby-zip (1.1.6-1) unstable; urgency=medium
* Team upload
[ David Suárez ]
* New upstream release.
* Drop 'dont-use-home' patch; Fixed upstream.
* Add 'fix-random-tests-failures' patch from upstream.
Fixes FTBFS on some archs.
* debian/copyright: Fix Ruby license short name.
* debian/rules: add tests generated file to clean.
* Drop 'libzip-ruby1.9.1' transitional package.
[ Antonio Terceiro ]
* debian/rules: export LANG=C.UTF-8 since the test suite assumes a UTF-8
locale
* debian/control add `Testsuite: autopkgtest-pkg-perl`
ruby-zip (1.1.2-2) unstable; urgency=medium
* debian/patches/dont-use-home.patch: don't use home directory while in
tests. Fixes FTBFS pretty much everywhere.
ruby-zip (1.1.2-1) unstable; urgency=medium
* Team upload; package being reintroduced after removal (Closes: #738745).
* New upstream release.
[ David Suárez ]
* New upstream release
* Switch package to gem2deb helper (Closes: #722367 #647073)
- Build against supported runtimes (Closes: #730962)
- debian/control: Add Vcs-* header
- debian/compat: bump to version7
* Remove old 1.8 package and add 1.9 transitional one
* Add working watch file
* debian/control: update homepage url
* Update standards version; no changes needed
* Update copyright file
* Move package to Debian Ruby Extras team
libzip-ruby (0.9.4-1) unstable; urgency=medium
* New upstream release
* Add ruby 1.9.1 support
libzip-ruby (0.9.1-1) unstable; urgency=low
* New upstream release
libzip-ruby (0.5.12-1) unstable; urgency=low
* New upstream release
libzip-ruby (0.5.6-1) unstable; urgency=low
* New upstream release
libzip-ruby (0.5.5-1) unstable; urgency=low
* New upstream release
libzip-ruby (0.5.3-1) unstable; urgency=low
* New upstream release
libzip-ruby (0.5.2-1) unstable; urgency=low
* New upstream release
libzip-ruby (0.5.1-3) unstable; urgency=low
* fixed: commit will break files.
libzip-ruby (0.5.1-2) unstable; urgency=low
* fixed; install dir.
libzip-ruby (0.5.1-1) unstable; urgency=low
* Initial Release.
---
debian/changelog | 12 +++++++++---
debian/patches/CVE-2017-5946.patch | 23 +++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 0d514cb..193f0c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,15 @@
-ruby-zip (1.1.6-2) jessie; urgency=medium
+ruby-zip (1.1.6-1+deb8u1) jessie-security; urgency=high
- * Team upload.
+ * Non-maintainer upload by the Security Team.
+
+ [ Antonio Terceiro ]
* debian/patches/ftbfs-jessie.patch: fix build failure on jessie
- -- Antonio Terceiro <terceiro at debian.org> Thu, 02 Mar 2017 16:46:02 -0300
+ [ Salvatore Bonaccorso ]
+ * CVE-2017-5946: directory traversal vulnerability in Zip::File component
+ (Closes: #856269)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Fri, 03 Mar 2017 07:21:15 +0100
ruby-zip (1.1.6-1) unstable; urgency=medium
diff --git a/debian/patches/CVE-2017-5946.patch b/debian/patches/CVE-2017-5946.patch
new file mode 100644
index 0000000..15bd330
--- /dev/null
+++ b/debian/patches/CVE-2017-5946.patch
@@ -0,0 +1,23 @@
+From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
+From: Alexander Simonov <alex at simonov.me>
+Date: Wed, 8 Feb 2017 13:43:14 +0200
+Subject: [PATCH] Fix #315 and resolve relative path vulnerability
+
+---
+ lib/zip/entry.rb | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/lib/zip/entry.rb
++++ b/lib/zip/entry.rb
+@@ -148,6 +148,11 @@ module Zip
+ def extract(dest_path = @name, &block)
+ block ||= proc { ::Zip.on_exists_proc }
+
++ if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
++ puts "WARNING: skipped \"../\" path component(s) in #{@name}"
++ return self
++ end
++
+ if directory? || file? || symlink?
+ self.__send__("create_#{@ftype}", dest_path, &block)
+ else
diff --git a/debian/patches/series b/debian/patches/series
index 31b4deb..0a7ed59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
ignore-simplecov.diff
fix-random-tests-failures
ftbfs-jessie.patch
+CVE-2017-5946.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-zip.git
More information about the Pkg-ruby-extras-commits
mailing list