oss-sec mailing list archives
Remote Command Injection in Ruby Gem colorscore <=0.0.4
From: Reed Loden <reed () reedloden com>
Date: Mon, 4 Jan 2016 17:09:15 -0800
Title: Remote Command Injection in Ruby Gem colorscore <=0.0.4 Description: Finds the dominant colors in an image and scores them against a user-defined palette, using the CIE2000 Delta E formula. Homepage: https://github.com/quadule/colorscore Download: https://rubygems.org/gems/colorscore Affected versions: All (<=0.0.4 currently) Vulnerability: The contents of the `image_path`, `colors`, and `depth` variables generated from possibly user-supplied input are passed directly to the shell on line 4. If a user supplies a value that includes shell metacharacters such as ';', an attacker may be able to execute shell commands on the remote system as the user id of the Ruby process. To resolve this issue, the aforementioned variables (especially `image_path`) must be sanitized for shell metacharacters. 1 module Colorscore 2 class Histogram 3 def initialize(image_path, colors=16, depth=8) 4 output = `convert #{image_path} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors} -depth #{depth} histogram:info:-` 5 @lines = output.lines.sort.reverse.map(&:strip).reject(&:empty?) 6 end CVE: CVE-2015-7541 Credits: Dirk Zittersteyn (@DZittersteyn) History: * 2015-12-04 -- Vendor notified * 2015-12-05 -- CVE requested * 2016-01-04 -- Publicly disclosed
Current thread:
- Remote Command Injection in Ruby Gem colorscore <=0.0.4 Reed Loden (Jan 04)