Merge pull request #274 from rubysec/cve-2016-10173

mveytsman · web-flow · commit c40084bf2e9e · 2017-02-02T13:11:39.000-05:00
Directory traversal vulns for minitar
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -34,5 +34,6 @@ This database would not be possible without volunteers willing to submit pull re
 * [Andrew Selder](https://github.com/aselder)
 * [Vanessa Henderson](https://github.com/VanessaHenderson)
 * [Reed Loden](https://github.com/reedloden)
+* [ecneladis](https://github.com/ecneladis)
 
 The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).
diff --git a/gems/archive-tar-minitar/CVE-2016-10173.yml b/gems/archive-tar-minitar/CVE-2016-10173.yml
@@ -0,0 +1,17 @@
+---
+gem: archive-tar-minitar
+cve: 2016-10173
+url: https://github.com/atoulme/minitar/issues/5
+title: Archive-Tar-Minitar Directory Traversal Vulnerability
+date: 2016-08-22
+description: |
+  Minitar allows attackers to overwrite arbitrary files during archive
+  extraction via a .. (dot dot) in an extracted filename. Analogous
+  vulnerabilities for unzip and tar:
+  https://www.cvedetails.com/cve/CVE-2001-1268/ and
+  http://www.cvedetails.com/cve/CVE-2001-1267/
+
+  Credit: ecneladis
+patched_versions:
+  #This version is unreleased as os 2017-01-31
+  - ">= 0.60"
diff --git a/gems/minitar/CVE-2016-10173.yml b/gems/minitar/CVE-2016-10173.yml
@@ -0,0 +1,17 @@
+---
+gem: minitar
+cve: 2016-10173
+url: https://github.com/halostatue/minitar/issues/16
+title: Minitar Directory Traversal Vulnerability
+date: 2016-08-22
+description: |
+  Minitar allows attackers to overwrite arbitrary files during archive
+  extraction via a .. (dot dot) in an extracted filename. Analogous
+  vulnerabilities for unzip and tar:
+  https://www.cvedetails.com/cve/CVE-2001-1268/ and
+  http://www.cvedetails.com/cve/CVE-2001-1267/
+
+  Credit: ecneladis
+patched_versions:
+  #This version is unreleased as os 2017-01-31
+  - ">= 0.60"
