Advisories » MGASA-2017-0060

Updated ruby-archive-tar-minitar packages fix security vulnerability

Publication date: 20 Feb 2017
Modification date: 20 Feb 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-10173

Description

Directory traversal vulnerability in the minitar before 0.6 and
archive-tar-minitar 0.5.2 gems for Ruby allows remote attackers to write
to arbitrary files via a .. (dot dot) in a TAR archive entry.
(CVE-2016-10173)

Moreover the updated packages replace deprecated require_gem by gem to
make minitar work.

References

SRPMS

5/core

ruby-archive-tar-minitar-0.5.2-14.2.mga5