oss-sec mailing list archives
Re: Remote command Injection in Creme Fraiche 0.6 Ruby Gem
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 14 May 2013 13:17:40 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/14/2013 10:59 AM, Larry W. Cashdollar wrote:
TITLE: *Remote command Injection in Creme Fraiche 0.6 Ruby Gem* DATE: 5/14/2013 AUTHOR: Larry W. Cashdollar (@_larry0) DOWNLOAD: http://rubygems.org/gems/cremefraiche, http://www.uplawski.eu/technology/cremefraiche/ DESCRIPTION: Converts Email to PDF files. VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013 FIX: In Version 0.6.1 CVE: TBD (please assign?) DETAILS: The following lines pass unsanitized user input directly to the command line. A malicious email attachment with a file name consisting of shell metacharacters could inject commands into the shell. If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well. 218 cmd = "pdftk %s update/info %s output %s" %[pdf, info/file, t/file] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftk/result = system( cmd) GREETINGS: @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and @attritionorg ADVISORY: http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html
Please use CVE-2013-2090 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRko3UAAoJEBYNRVNeJnmTytsP/0o3nhU7ZgjyPX8RXjlpJ/ub sBgcAAv/Zl+x2jntMqnqlNWGPYIRvGrmAKJqxOk+4zdjjd5C/kL/HoW8msM5M2p+ U2V1irC/+YJ1+CY4Em9jPrfAQhE8KqOSBoqbPy3hG15yo65RIR2Bn4dz3dSZKk8x R2SDTCiqO9LuP3wAYjwxHEQ8d4H0M8QZ/CwuSGFFKB6GRejZHFVXNYxKoiAxqU2u T8nh1rbjKAoe0JeJVuNW6rqPtpPrJgT0X7Q6xAzNtoyRYjO6EnQmloWqXiX7YoGA Vuukjt7wpzAWjYxkLZxGY3zGNJ1QhNm1L5+/bDRUCKLT3/h3HgliDo/OBGP8jQ2x 77+lsp2un6DF5iFmCRncaTURTWN9OBD7nKHZvxVtoPAWRfW4CgUSoKjRt1dT/29h Bz2b+Xc7/IJo4z7AB8kkseE2gdpjUzot+yEzBvCTKbFOHOhZoMRJ4yfL8QexZ8wK o2uym+OVX/2vLGZVlMF48m5LJShWxykwNjMSk1uolTyTXGRfsvRiU2MTGAGw51fZ wWmBtHOfEhMF7D+6tEqTe3T1hi/79l1Iu06X//GS0q0+UO8aUBJGz9oalil6TZDU tA38nMX1eEU12hJKj22oACAUfaDDTukHA0SSgyCHOmXWkIzwJRXzQo6jI6cBymDs MdyaHEUbaTVtQlQilqp8 =pHRy -----END PGP SIGNATURE-----
Current thread:
- Remote command Injection in Creme Fraiche 0.6 Ruby Gem Larry W. Cashdollar (May 14)
- Re: Remote command Injection in Creme Fraiche 0.6 Ruby Gem Kurt Seifried (May 14)