Update rubyzip gem to 1.2.2 (CVE-2018-1000544)
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000544
- PoC: https://github.com/rubyzip/rubyzip/issues/369
- Patches: https://github.com/rubyzip/rubyzip/pull/371 https://github.com/rubyzip/rubyzip/pull/376
- Diff (1.2.1 to 1.2.2): https://github.com/rubyzip/rubyzip/compare/v1.2.1...v1.2.2
- RubyGems: https://rubygems.org/gems/rubyzip/versions/1.2.2
rubyzip is currently only used in the internal CI process of gitlab-ce/-ee (introduced in !3775 (merged)) and is not used via production code. Therefore this is not kind of product security.