Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rubyzip when an update is available that fixes CVE-2018-1000544 #1222

Closed
david-a-wheeler opened this issue Aug 25, 2018 · 4 comments
Closed

Update rubyzip when an update is available that fixes CVE-2018-1000544 #1222

david-a-wheeler opened this issue Aug 25, 2018 · 4 comments
Labels
enhancement

Comments

@david-a-wheeler
Copy link
Collaborator

david-a-wheeler commented Aug 25, 2018
edited

The "rubyzip gem version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..." See CVE-2018-1000544.

Unfortunately, there is currently no working update from upstream rubyzip; they're working on it, but seem to be having trouble.

Thankfully, we aren't vulnerable. We only use rubyzip during testing, not during production (see Gemfile.lock to verify), and the test inputs are from trusted sources.

My current plan is to just let the rubyzip folks release an update, and then update. Emergency measures would take time, and we don't need to do that.
@david-a-wheeler
Copy link
Collaborator Author

Note that this will mean that, in the short term, all attempts to update master, staging, or production will fail, because we have a KNOWN vulnerable component. We could probably narrow that down to only complain when gems used in production have a known vulnerability, but we haven't needed to do that before.

@david-a-wheeler
Copy link
Collaborator Author

I don't see any easy way to tell bundle-audit to "ignore gems that are only used in development or test". If we had to hand-jam this, we could change:

bundle exec bundle audit check

by appending this:

--ignore CVE-2018-1000544

@david-a-wheeler
Copy link
Collaborator Author

Change of plans. This issue prevents updates, and rubyzip has failed to fix this since July 1. Since it doesn't affect production, I think we should just ignore the vulnerability (using --ignore).

david-a-wheeler added a commit that referenced this issue Aug 28, 2018
@david-a-wheeler
Ignore vulnerability CVE-2018-1000544 in rubyzip
071cae6 
Ignore CVE-2018-1000544 (a vulnerability in rubyzip).
It does not affect production. See:
#1222
rubyzip/rubyzip#371
https://nvd.nist.gov/vuln/detail/CVE-2018-1000544

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler david-a-wheeler mentioned this issue Aug 28, 2018
Merged
david-a-wheeler added a commit that referenced this issue Aug 28, 2018
@david-a-wheeler
Ignore vulnerability CVE-2018-1000544 in rubyzip (#1225)
14afdd0 
Ignore CVE-2018-1000544 (a vulnerability in rubyzip).
It does not affect production. See:
#1222
rubyzip/rubyzip#371
https://nvd.nist.gov/vuln/detail/CVE-2018-1000544

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler
Copy link
Collaborator Author

Rubyzip has belatedly updated... and so have we.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@david-a-wheeler