Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Ruby Archive::Tar::Minitar: Directory traversal — GLSA 201702-32

Ruby Archive::Tar::Minitar is vulnerable to a directory traversal attack.

Affected packages

Package dev-ruby/archive-tar-minitar on all architectures
Affected versions < 0.6.1
Unaffected versions >= 0.6.1

Background

Archive::Tar::Minitar is a pure-Ruby library and command-line utility that provides the ability to deal with POSIX tar(1) archive files.

Description

Michal Marek discovered that Ruby Archive::Tar::Minitar is vulnerable to a directory traversal vulnerability.

Impact

A remote attacker could entice a user or an automated system to process a specially crafted archive using Ruby Archive::Tar::Minitar possibly allowing the writing of arbitrary files with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Ruby Archive::Tar::Minitar users should upgrade to the latest version: 

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-ruby/archive-tar-minitar-0.6.1"

References

Release date
February 22, 2017

Latest revision
February 22, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries