Remote Command Injection in Ruby Gem colorscore <=0.0.4

[Reed Loden <reed () reedloden com>]

Title: Remote Command Injection in Ruby Gem colorscore <=0.0.4

Description: Finds the dominant colors in an image and scores them against
a user-defined palette, using the CIE2000 Delta E formula.

Homepage: https://github.com/quadule/colorscore

Download: https://rubygems.org/gems/colorscore

Affected versions: All (<=0.0.4 currently)

Vulnerability:
The contents of the `image_path`, `colors`, and `depth` variables generated
from possibly user-supplied input are passed directly to the shell on line
4. If a user supplies a value that includes shell metacharacters such as
';', an attacker may be able to execute shell commands on the remote system
as the user id of the Ruby process.

To resolve this issue, the aforementioned variables (especially
`image_path`) must be sanitized for shell metacharacters.

1  module Colorscore
2    class Histogram
3      def initialize(image_path, colors=16, depth=8)
4        output = `convert #{image_path} -resize 400x400 -format %c -dither
None -quantize YIQ -colors #{colors} -depth #{depth} histogram:info:-`
5        @lines = output.lines.sort.reverse.map(&:strip).reject(&:empty?)
6      end

CVE: CVE-2015-7541

Credits: Dirk Zittersteyn (@DZittersteyn)

History:
* 2015-12-04 -- Vendor notified
* 2015-12-05 -- CVE requested
* 2016-01-04 -- Publicly disclosed