Description: CVE-2016-10173: directory traversal vulnerability
Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945
Bug: https://github.com/halostatue/minitar/issues/16
Bug-Debian: https://bugs.debian.org/853249
Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
Forwarded: not-needed
Author: Jordi Massaguer
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2017-01-30
--- a/lib/archive/tar/minitar.rb
+++ b/lib/archive/tar/minitar.rb
@@ -969,6 +969,9 @@ module Archive::Tar::Minitar
end
inp.each do |entry|
+ if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/
+ raise entry.full_name + " Error path contains .."
+ end
if files.empty? or files.include?(entry.full_name)
inp.extract_entry(dest, entry, &block)
end
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
a119b3526efc7c933c602d98917f809a
>
files
>
1
