Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update rubyzip to address CVE-2019-16892 #3355

Merged
merged 1 commit into from
Sep 30, 2019
Merged

update rubyzip to address CVE-2019-16892 #3355

merged 1 commit into from
Sep 30, 2019

Conversation

annaswims
Copy link
Contributor

@annaswims annaswims commented Sep 30, 2019
edited
Loading

Description of change

Name: rubyzip
Version: 1.2.2
Advisory: CVE-2019-16892
Criticality: Unknown
URL: rubyzip/rubyzip#403
Title: Denial of Service in rubyzip ("zip bombs")
Solution: upgrade to >= 1.3.0

Testing done

Testing planned

Acceptance Criteria (Definition of Done)

Applies to all PRs

  • Appropriate logging
  • Swagger docs have been updated, if applicable
  • Provide link to originating GitHub issue, or connected to it via ZenHub
  • Does not contain any sensitive information (i.e. PII/credentials/internal URLs/etc., in logging, hardcoded, or in specs)
  • Provide which alerts would indicate a problem with this functionality (if applicable)

@va-vfs-bot va-vfs-bot temporarily deployed to update_rubyzip/master September 30, 2019 15:20 Inactive
@annaswims
Copy link
Contributor Author

cc: @ATeal who introduced rubyzip in #3059

@annaswims annaswims marked this pull request as ready for review September 30, 2019 15:48
@annaswims annaswims requested review from a team as code owners September 30, 2019 15:48
johnpaulashenfelter
johnpaulashenfelter approved these changes Sep 30, 2019
View reviewed changes
Copy link
Contributor

@johnpaulashenfelter johnpaulashenfelter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty minor and seems straightforward to roll out.

Seems really weird that the maintainer of the gem release 1.3 and 2.0 with the same code: https://github.com/rubyzip/rubyzip/blob/v2.0.0/Changelog.md

@annaswims annaswims merged commit f0c7430 into master Sep 30, 2019
@annaswims
Copy link
Contributor Author

@johnpaulashenfelter It's not quite the same code validate_entry_sizes has a different default and support for ruby <2.4 is dropped. This CVE doesn't really apply to us since we're not unzipping files uploaded by users (yet).

rubyzip/rubyzip@v1.3.0...master

@johnpaulashenfelter johnpaulashenfelter deleted the update_rubyzip branch October 2, 2019 15:19
@annaswims annaswims added the VSP VSP Contract label Oct 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnpaulashenfelter johnpaulashenfelter johnpaulashenfelter approved these changes

Assignees
No one assigned
Labels
VSP VSP Contract
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@annaswims @johnpaulashenfelter @va-vfs-bot