Update dependency tzinfo to v1.2.10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
tzinfo (source, changelog)	1.2.5 → 1.2.10

GitHub Vulnerability Alerts

CVE-2022-31163

Impact

Affected versions

• 0.3.60 and earlier.
• 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:

TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")

The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5c0e682736f61d0dd803b6031a5db9eadf for 0.3.x and commit 9905ca93abf7bf3e387bd592406e403cd18334c7 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the tzinfo repository.

---

Release Notes

tzinfo/tzinfo (tzinfo)

v1.2.10

Compare Source

• Fixed a relative path traversal bug that could cause arbitrary files to be
  loaded with require when used with RubyDataSource. Please refer to
  GHSA-5cm2-9h8c-rvfx for
  details. CVE-2022-31163.
• Ignore the SECURITY file from Arch Linux's tzdata package. #​134.

v1.2.9

Compare Source

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a
  zoneinfo file that includes rules specifying an additional transition to the
  final defined offset (for example, Africa/Casablanca in version 2018e of the
  Time Zone Database). #​123.

v1.2.8

Compare Source

• Added support for handling "slim" format zoneinfo files that are produced by
  default by zic version 2020b and later. The POSIX-style TZ string is now used
  calculate DST transition times after the final defined transition in the file.
  The 64-bit section is now always used regardless of whether Time has support
  for 64-bit times. #​120.
• Rubinius is no longer supported.

v1.2.7

Compare Source

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #​114.
• Fixed warnings when running on Ruby 2.8. #​112.

v1.2.6

Compare Source

• Timezone#strftime('%s', time) will now return the correct number of seconds
  since the epoch. #​91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading
  data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #​106 and #​111.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/docs/docs/Gemfile.lock

/opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendor/thor/lib/thor/error.rb:109:in '<class:Thor>': uninitialized constant DidYouMean::SPELL_CHECKERS (NameError)

    DidYouMean::SPELL_CHECKERS.merge!(
              ^^^^^^^^^^^^^^^^
Did you mean?  DidYouMean::SpellChecker
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendor/thor/lib/thor/error.rb:1:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendor/thor/lib/thor/base.rb:4:in 'Kernel#require'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendor/thor/lib/thor/base.rb:4:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendor/thor/lib/thor.rb:2:in 'Kernel#require'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendor/thor/lib/thor.rb:2:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendored_thor.rb:8:in 'Kernel#require'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/vendored_thor.rb:8:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/friendly_errors.rb:5:in 'Kernel#require'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/lib/bundler/friendly_errors.rb:5:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/exe/bundle:21:in 'Kernel#require'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/exe/bundle:21:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/exe/bundler:4:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/gems/bundler-2.0.2/exe/bundler:4:in '<top (required)>'
	from /opt/containerbase/tools/ruby/4.0.0/lib/ruby/4.0.0/rubygems.rb:303:in 'Kernel#load'
	from /opt/containerbase/tools/ruby/4.0.0/lib/ruby/4.0.0/rubygems.rb:303:in 'Gem.activate_and_load_bin_path'
	from /opt/containerbase/tools/bundler/2.0.2/4.0.0/bin/bundler:25:in '<main>'