heap overflow and information leak in zipruby

[grosser]

@phillmv

https://packetstormsecurity.com/files/111242/libzip-0.10-Heap-Overflow-Information-Leak.html

[reedloden]

Just "2012-1163" (without the CVE- part)

[grosser]

done!

[VanessaHenderson]

There are no versions currently released that are above this, should we really be putting this as patched versions? We can't guarantee that there will ever be a fixed version released...

[VanessaHenderson]

By that I mean the latest commit in the repository is 2 days before the official release notice of libzip 0.10. Did they actually update it? I don't know much about C...

[sergey-alekseev]

should be > 0.3.6

[phillmv]

OKAY. Thanks for all the pull requests @grosser!

If I understand this correctly, forever ago someone found a couple CVEs in libzip, which is used by zipruby, which has been totally abandoned.

In this light, there aren't any patched versions since https://rubygems.org/gems/zipruby/ shows that 0.3.6 is the last version that has been released, and the advisory claims that 0.3.6 is vulnerable. (Thanks, @VanessaHenderson)

@grosser, if you could please:

• delete the 'patched_versions' line, since none exist
• create one file per CVE, with the appropriate description (keep the url the same :))
• while you're at it, change the title of the first one (2012-1162) to "zipruby is susceptible to a heap overflow", and the title of the other (2012-1163) to "A flaw in zipruby may allow information leaks"

and we should be good :).

[grosser]

updated, looking good ?

On Thu, Oct 22, 2015 at 8:06 AM, Phill MV notifications@github.com wrote:

OKAY. Thanks for all the pull requests @grosser
https://github.com/grosser!

If I understand this correctly, forever ago someone found a couple CVEs in
libzip, which is used by zipruby, which has been totally abandoned.

In this light, there aren't any patched versions since
https://rubygems.org/gems/zipruby/ shows that 0.3.6 is the last version
that has been released, and the advisory claims that 0.3.6 is vulnerable.
(Thanks, @VanessaHenderson https://github.com/VanessaHenderson)

@grosser https://github.com/grosser, if you could please:

• delete the 'patched_versions' line, since they none exist
• create one file per CVE, with the appropriate description (keep the
  url the same :))
• while you're at it, change the title of the first one (2012-1162) to
  "zipruby is susceptible to a heap overflow", and the title of the other
  (2012-1163) to "A flaw in zipruby may allow information leaks"

and we should be good :).

—
Reply to this email directly or view it on GitHub
#207 (comment)
.