Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency tzinfo to v1.2.10 [SECURITY] #51

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency tzinfo to v1.2.10 [SECURITY] #51

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
tzinfo (source, changelog) 1.2.5 -> 1.2.10 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-31163

Impact

Affected versions

  • 0.3.60 and earlier.
  • 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:

TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")

The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5c0e682736f61d0dd803b6031a5db9eadf for 0.3.x and commit 9905ca93abf7bf3e387bd592406e403cd18334c7 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory:

Release Notes

tzinfo/tzinfo (tzinfo)

v1.2.10

Compare Source

  • Fixed a relative path traversal bug that could cause arbitrary files to be
    loaded with require when used with RubyDataSource. Please refer to
    GHSA-5cm2-9h8c-rvfx for
    details. CVE-2022-31163.
  • Ignore the SECURITY file from Arch Linux's tzdata package. #​134.

v1.2.9

Compare Source

  • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a
    zoneinfo file that includes rules specifying an additional transition to the
    final defined offset (for example, Africa/Casablanca in version 2018e of the
    Time Zone Database). #​123.

v1.2.8

Compare Source

  • Added support for handling "slim" format zoneinfo files that are produced by
    default by zic version 2020b and later. The POSIX-style TZ string is now used
    calculate DST transition times after the final defined transition in the file.
    The 64-bit section is now always used regardless of whether Time has support
    for 64-bit times. #​120.
  • Rubinius is no longer supported.

v1.2.7

Compare Source

  • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #​114.
  • Fixed warnings when running on Ruby 2.8. #​112.

v1.2.6

Compare Source

  • Timezone#strftime('%s', time) will now return the correct number of seconds
    since the epoch. #​91.
  • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
  • Fixed "SecurityError: Insecure operation - require" exceptions when loading
    data with recent Ruby releases in safe mode.
  • Fixed warnings when running on Ruby 2.7. #​106 and #​111.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants