Bug 1781195

Summary: Update rubyzip to >= 2.0.0
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: AutomateAssignee: drew uhlmann <duhlmann>
Status: CLOSED CURRENTRELEASE QA Contact: Sudhir Mallamprabhakara <smallamp>
Severity: low Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: medium    
Version: 5.10.12CC: dmetzger, duhlmann, gmccullo, jfrey, mkanoor, obarenbo
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.12.0Flags: dmetzger: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1783401 1783403 (view as bug list) Environment:
Last Closed: 2020-10-26 16:13:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1783401, 1783403    

Description Satoe Imaishi 2019-12-09 14:18:57 UTC 
We're currently using rubyzip 1.3.0 with "Zip.validate_entry_sizes = true" to address CVE-2019-16892.

To avoid possibly adding new code without "true" flag in the future (which will make us vulnerable again), rubyzip should be updated to 2.0.0 or later which sets the flag to true by default.
Comment 2 Jason Frey 2019-12-10 17:00:03 UTC 
Opened upstream issue https://github.com/ManageIQ/manageiq/issues/19622
Comment 3 drew uhlmann 2019-12-11 19:11:59 UTC 
note: 

winrm-fs, 
vmdb/util.rb, 
app/models/miq_ae_yaml_import_zipfs.rb, 
app/models/miq_ae_yaml_export_zipfs.rb 
need to be tested
Comment 4 CFME Bot 2019-12-11 19:45:42 UTC 
https://github.com/ManageIQ/manageiq/pull/19629
Comment 5 CFME Bot 2019-12-11 19:47:04 UTC 
https://github.com/ManageIQ/manageiq-automation_engine/pull/397
Comment 6 CFME Bot 2019-12-12 16:26:42 UTC 
New commit detected on ManageIQ/manageiq-automation_engine/master:

https://github.com/ManageIQ/manageiq-automation_engine/commit/b1918588265feebcb657240fd987d8c20906fe3e
commit b1918588265feebcb657240fd987d8c20906fe3e
Author:     d-m-u <duhlmann>
AuthorDate: Wed Dec 11 14:36:54 2019 -0500
Commit:     d-m-u <duhlmann>
CommitDate: Wed Dec 11 14:36:54 2019 -0500

    Update to 2.0.0

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195
    Fixes https://github.com/ManageIQ/manageiq/issues/19622

 app/models/miq_ae_yaml_export_zipfs.rb | 5 -
 app/models/miq_ae_yaml_import_zipfs.rb | 5 -
 manageiq-automation_engine.gemspec | 2 +-
 spec/models/miq_ae_yaml_import_export_spec.rb | 5 -
 4 files changed, 1 insertion(+), 16 deletions(-)
Comment 7 CFME Bot 2019-12-12 16:30:39 UTC 
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/4889c8f6f4d02617e2df6efe7ca9405d029db4aa
commit 4889c8f6f4d02617e2df6efe7ca9405d029db4aa
Author:     d-m-u <duhlmann>
AuthorDate: Wed Dec 11 14:34:25 2019 -0500
Commit:     d-m-u <duhlmann>
CommitDate: Wed Dec 11 14:34:25 2019 -0500

    Update rubyzip to 2.0.0

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195
    Fixes https://github.com/ManageIQ/manageiq/issues/19622

 Gemfile | 2 +-
 lib/vmdb/util.rb | 5 -
 spec/lib/vmdb/util_spec.rb | 5 -
 3 files changed, 1 insertion(+), 11 deletions(-)
Comment 8 drew uhlmann 2019-12-12 17:24:25 UTC 
needs https://github.com/ManageIQ/manageiq-automation_engine/pull/400 and https://github.com/ManageIQ/manageiq/pull/19636 as well