New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update rubyzip when an update is available that fixes CVE-2018-1000544 #1222
Comments
Note that this will mean that, in the short term, all attempts to update master, staging, or production will fail, because we have a KNOWN vulnerable component. We could probably narrow that down to only complain when gems used in production have a known vulnerability, but we haven't needed to do that before. |
I don't see any easy way to tell bundle-audit to "ignore gems that are only used in development or test". If we had to hand-jam this, we could change:
by appending this:
|
Change of plans. This issue prevents updates, and rubyzip has failed to fix this since July 1. Since it doesn't affect production, I think we should just ignore the vulnerability (using --ignore). |
Ignore CVE-2018-1000544 (a vulnerability in rubyzip). It does not affect production. See: #1222 rubyzip/rubyzip#371 https://nvd.nist.gov/vuln/detail/CVE-2018-1000544 Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Ignore CVE-2018-1000544 (a vulnerability in rubyzip). It does not affect production. See: #1222 rubyzip/rubyzip#371 https://nvd.nist.gov/vuln/detail/CVE-2018-1000544 Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Rubyzip has belatedly updated... and so have we. |
The "rubyzip gem version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..." See CVE-2018-1000544.
Unfortunately, there is currently no working update from upstream rubyzip; they're working on it, but seem to be having trouble.
Thankfully, we aren't vulnerable. We only use rubyzip during testing, not during production (see Gemfile.lock to verify), and the test inputs are from trusted sources.
My current plan is to just let the rubyzip folks release an update, and then update. Emergency measures would take time, and we don't need to do that.
The text was updated successfully, but these errors were encountered: