Ruby Archive::Tar::Minitar: Directory traversal — GLSA 201702-32

Ruby Archive::Tar::Minitar is vulnerable to a directory traversal attack.

Affected Packages

dev-ruby/archive-tar-minitar on all architectures
Affected versions < 0.6.1
Unaffected versions >= 0.6.1

Background

Archive::Tar::Minitar is a pure-Ruby library and command-line utility that provides the ability to deal with POSIX tar(1) archive files.

Description

Michal Marek discovered that Ruby Archive::Tar::Minitar is vulnerable to a directory traversal vulnerability.

Impact

A remote attacker could entice a user or an automated system to process a specially crafted archive using Ruby Archive::Tar::Minitar possibly allowing the writing of arbitrary files with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Ruby Archive::Tar::Minitar users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-ruby/archive-tar-minitar-0.6.1"
 

References

Release Date
February 22, 2017

Latest Revision
February 22, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries