Add CVE-2018-1000544 for rubyzip (#346)

bannable · reedloden · commit 17985dec28d5 · 2018-08-24T18:52:36.000-07:00
diff --git a/gems/rubyzip/CVE-2018-1000544.yml b/gems/rubyzip/CVE-2018-1000544.yml
@@ -0,0 +1,17 @@
+---
+gem: rubyzip
+date: 2018-06-14
+url: https://github.com/rubyzip/rubyzip/issues/369
+cve: 2018-1000544
+title: Directory Traversal in rubyzip
+description: |
+  rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability
+  in Zip::File component that can result in write arbitrary files to the filesystem.
+  If a site allows uploading of .zip files, an attacker can upload a malicious file
+  which contains symlinks or files with absolute pathnames "../" to write arbitrary
+  files to the filesystem.
+related:
+  cve:
+    - 2017-5946
+  url:
+    - https://security-tracker.debian.org/tracker/CVE-2018-1000544
