We're currently using rubyzip 1.3.0 with "Zip.validate_entry_sizes = true" to address CVE-2019-16892. To avoid possibly adding new code without "true" flag in the future (which will make us vulnerable again), rubyzip should be updated to 2.0.0 or later which sets the flag to true by default.
Opened upstream issue https://github.com/ManageIQ/manageiq/issues/19622
note: winrm-fs, vmdb/util.rb, app/models/miq_ae_yaml_import_zipfs.rb, app/models/miq_ae_yaml_export_zipfs.rb need to be tested
https://github.com/ManageIQ/manageiq/pull/19629
https://github.com/ManageIQ/manageiq-automation_engine/pull/397
New commit detected on ManageIQ/manageiq-automation_engine/master: https://github.com/ManageIQ/manageiq-automation_engine/commit/b1918588265feebcb657240fd987d8c20906fe3e commit b1918588265feebcb657240fd987d8c20906fe3e Author: d-m-u <duhlmann> AuthorDate: Wed Dec 11 14:36:54 2019 -0500 Commit: d-m-u <duhlmann> CommitDate: Wed Dec 11 14:36:54 2019 -0500 Update to 2.0.0 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195 Fixes https://github.com/ManageIQ/manageiq/issues/19622 app/models/miq_ae_yaml_export_zipfs.rb | 5 - app/models/miq_ae_yaml_import_zipfs.rb | 5 - manageiq-automation_engine.gemspec | 2 +- spec/models/miq_ae_yaml_import_export_spec.rb | 5 - 4 files changed, 1 insertion(+), 16 deletions(-)
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/4889c8f6f4d02617e2df6efe7ca9405d029db4aa commit 4889c8f6f4d02617e2df6efe7ca9405d029db4aa Author: d-m-u <duhlmann> AuthorDate: Wed Dec 11 14:34:25 2019 -0500 Commit: d-m-u <duhlmann> CommitDate: Wed Dec 11 14:34:25 2019 -0500 Update rubyzip to 2.0.0 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195 Fixes https://github.com/ManageIQ/manageiq/issues/19622 Gemfile | 2 +- lib/vmdb/util.rb | 5 - spec/lib/vmdb/util_spec.rb | 5 - 3 files changed, 1 insertion(+), 11 deletions(-)
needs https://github.com/ManageIQ/manageiq-automation_engine/pull/400 and https://github.com/ManageIQ/manageiq/pull/19636 as well