Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby bindings: Security vulnerability in rubyzip 1.2.1 #6330

Closed
rhymes opened this issue Aug 25, 2018 · 7 comments
Closed

Ruby bindings: Security vulnerability in rubyzip 1.2.1 #6330

rhymes opened this issue Aug 25, 2018 · 7 comments
Labels
C-rb

Comments

@rhymes
Copy link

rhymes commented Aug 25, 2018

Just FYI

I know it sounds like a deja-vu because of #3728 but there's actually a separate issue with the library on version 1.2.1 listed on the NIST db: CVE-2018-1000544

The patch is not out yet but this is the thread where they are discussing it on rubyzip repo: rubyzip/rubyzip#371

I tried to see if there's an alternative for this library but it doesn't seem to be any so even switching library (its usage is quite contained in the ruby bindings) is not an option.
@rhymes rhymes mentioned this issue Aug 25, 2018
Closed
@barancev barancev added the C-rb label Aug 25, 2018
@p0deje
Copy link
Member

p0deje commented Aug 27, 2018

I'll keep an eye on RubyZip issue and will bump version once there is a fix. Thank you for report!

@rwd rwd mentioned this issue Aug 31, 2018
Merged
@soundasleep
Copy link

rubyzip/rubyzip#371 is now marked as Merged, is this ready to be updated?

@p0deje
Copy link
Member

p0deje commented Sep 3, 2018

@soundasleep You can update RubyZip by yourself - Selenium needs ~> 1.2 so 1.2.2 works just fine. Just do bundle update rubyzip.

@rhymes I feel like I should just keep the desired version as-is and not update it to >= 1.2.2. Do you have any objections? @titusfortner @lmtierney What do you guys think?

@rhymes
Copy link
Author

rhymes commented Sep 3, 2018

@p0deje the default on https://rubygems.org/gems/rubyzip has become gem 'rubyzip', '~> 1.2', '>= 1.2.2', I would consider using that..

@p0deje p0deje closed this as completed in 94e1721 Sep 3, 2018
@p0deje
Copy link
Member

p0deje commented Sep 3, 2018

Thank you!

grigaman pushed a commit to grigaman/selenium that referenced this issue Sep 20, 2018
@p0deje
Require RubyZip 1.2.2 at least
ee8f4ed 
Closes SeleniumHQ#6330
@msdundar
Copy link

msdundar commented Sep 27, 2018
edited

@p0deje Are you gonna update the GEM located at rubygems.org? Because it seems like it's still referencing the old version of rubyzip.

@msdundar msdundar mentioned this issue Sep 27, 2018
Merged
9 tasks
@lmtierney
Copy link
Member

@msdundar it will be updated when we do a new release. There has not been a new release since the change was made.

@lock lock bot locked and limited conversation to collaborators Aug 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
C-rb
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rhymes @msdundar @barancev @p0deje @soundasleep @lmtierney