Description: CVE-2016-10173: directory traversal vulnerability Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945 Bug: https://github.com/halostatue/minitar/issues/16 Bug-Debian: https://bugs.debian.org/853249 Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740 Forwarded: not-needed Author: Jordi Massaguer Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> Last-Update: 2017-01-30 --- a/lib/archive/tar/minitar.rb +++ b/lib/archive/tar/minitar.rb @@ -969,6 +969,9 @@ module Archive::Tar::Minitar end inp.each do |entry| + if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/ + raise entry.full_name + " Error path contains .." + end if files.empty? or files.include?(entry.full_name) inp.extract_entry(dest, entry, &block) end