-
-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap overflow and information leak in zipruby #207
Conversation
@@ -0,0 +1,15 @@ | |||
--- | |||
gem: zipruby | |||
cve: CVE-2012-1163 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just "2012-1163" (without the CVE- part)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!
eaabf3f
to
61f42f7
Compare
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are | ||
also affected as they include copies of affected libzip versions. | ||
patched_versions: | ||
- ">= 0.3.6" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are no versions currently released that are above this, should we really be putting this as patched versions? We can't guarantee that there will ever be a fixed version released...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be > 0.3.6
OKAY. Thanks for all the pull requests @grosser! If I understand this correctly, forever ago someone found a couple CVEs in libzip, which is used by zipruby, which has been totally abandoned. In this light, there aren't any patched versions since https://rubygems.org/gems/zipruby/ shows that 0.3.6 is the last version that has been released, and the advisory claims that 0.3.6 is vulnerable. (Thanks, @VanessaHenderson) @grosser, if you could please:
and we should be good :). |
61f42f7
to
015731f
Compare
updated, looking good ? On Thu, Oct 22, 2015 at 8:06 AM, Phill MV notifications@github.com wrote:
|
@phillmv
https://packetstormsecurity.com/files/111242/libzip-0.10-Heap-Overflow-Information-Leak.html