debian/0000775000000000000000000000000013046114422007165 5ustar debian/control0000664000000000000000000000142113043724253010574 0ustar Source: ruby-archive-tar-minitar Section: ruby Priority: optional Maintainer: Alexander Wirt Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.7~) Standards-Version: 3.9.2 Homepage: http://rubyforge.org/projects/ruwiki/ XS-Ruby-Versions: all Package: ruby-archive-tar-minitar Architecture: all XB-Ruby-Versions: ${ruby:Versions} Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter Description: Provides POSIX tarchive management from Ruby programs. Archive::Tar::Minitar is a pure-Ruby library and command-line utility that provides the ability to deal with POSIX tar(1) archive files. The implementation is based heavily on Mauricio Ferna'ndez's implementation in rpa-base, but has been reorganised to promote reuse in other projects. debian/patches/0000775000000000000000000000000013043724253010622 5ustar debian/patches/CVE-2016-10173.patch0000664000000000000000000000153213043724253013320 0ustar Description: CVE-2016-10173: directory traversal vulnerability Origin: vendor, https://bugzilla.opensuse.org/attachment.cgi?id=711945 Bug: https://github.com/halostatue/minitar/issues/16 Bug-Debian: https://bugs.debian.org/853249 Bug-OpenSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740 Forwarded: not-needed Author: Jordi Massaguer Reviewed-by: Salvatore Bonaccorso Last-Update: 2017-01-30 --- a/lib/archive/tar/minitar.rb +++ b/lib/archive/tar/minitar.rb @@ -969,6 +969,9 @@ module Archive::Tar::Minitar end inp.each do |entry| + if entry.full_name.squeeze('/') =~ /\.{2}(?:\/|\z)/ + raise entry.full_name + " Error path contains .." + end if files.empty? or files.include?(entry.full_name) inp.extract_entry(dest, entry, &block) end debian/patches/series0000664000000000000000000000002513043724253012034 0ustar CVE-2016-10173.patch debian/ruby-archive-tar-minitar.docs0000664000000000000000000000004013043724253014664 0ustar # FIXME: READMEs found # README debian/ruby-test-files.yaml0000664000000000000000000000003013043724253013106 0ustar --- - tests/testall.rb debian/compat0000664000000000000000000000000213043724253010371 0ustar 7 debian/changelog0000664000000000000000000000140513046114422011037 0ustar ruby-archive-tar-minitar (0.5.2-2+deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Tyler Hicks Mon, 06 Feb 2017 15:41:06 +0000 ruby-archive-tar-minitar (0.5.2-2+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-10173: directory traversal vulnerability (Closes: #853249) -- Salvatore Bonaccorso Mon, 30 Jan 2017 21:57:15 +0100 ruby-archive-tar-minitar (0.5.2-2) unstable; urgency=low * fix copyright file -- Alexander Wirt Mon, 22 Aug 2011 23:24:27 +0200 ruby-archive-tar-minitar (0.5.2-1) unstable; urgency=low * Initial release -- Alexander Wirt Mon, 22 Aug 2011 21:53:35 +0200 debian/copyright0000664000000000000000000000253113043724253011127 0ustar Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=173 Upstream-Name: archive-tar-minitar Source: http://rubygems.org/downloads/archive-tar-minitar-0.5.2.gem Files: * Copyright: Copyright 2004 Mauricio Julio Ferna'ndez Pradier and Austin Ziegler License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version or Ruby's licence. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. Files: debian/* Copyright: Copyright 2011 Alexander Wirt License: GPL-2 On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/watch0000664000000000000000000000017313043724253010225 0ustar version=3 http://pkg-ruby-extras.alioth.debian.org/cgi-bin/gemwatch/archive-tar-minitar .*/archive-tar-minitar-(.*).tar.gz debian/source/0000775000000000000000000000000013043724253010473 5ustar debian/source/format0000664000000000000000000000001413043724253011701 0ustar 3.0 (quilt) debian/rules0000775000000000000000000000103613043724253010253 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 # # Uncomment to ignore all test failures (but the tests will run anyway) #export DH_RUBY_IGNORE_TESTS=all # # Uncomment to ignore some test failures (but the tests will run anyway). # Valid values: #export DH_RUBY_IGNORE_TESTS=ruby1.8 ruby1.9.1 require-rubygems # # If you need to specify the .gemspec (eg there is more than one) #export DH_RUBY_GEMSPEC=gem.gemspec %: dh $@ --buildsystem=ruby --with ruby override_dh_auto_install: dh_auto_install rm -rf debian/ruby-archive-tar-minitar/usr/bin/