oss-sec mailing list archives
Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4
From: cve-assign () mitre org
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are not sure of the best way to interpret statements such as
If this Gem is used in the context of a Rails application it maybe possible for a remote user to inject commands into the shell via #{password} #{user} #{deploy_name} #{application} variables if that data is user supplied.
At this level, one question might be: is it possible that this Gem wasn't ever intended to be used in the context of a Rails application? (This question may also apply to some other recent CVE requests.) At a slightly higher level: http://rubygems.org/gems/kompanee-recipes says "These are the common recipes we've been using here at The Kompanee." It seems unclear whether this is really intended to have widespread use as-is except by thekompanee.com insiders. For example, parts of it seem highly site-specific such as lib/kompanee-recipes/bash.rb "This will install a more secure SSH environment ... it will ... change the default port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config /etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets intelligent defaults for Kompanee Rackspace deployments ... :domain, "thekompanee.com" ... :server_ip, "174.143.212.245" ... Most of these values can be overridden in each application's deploy.rb file. Unfortunately some of them can't be such as :scm but they're our recipies so... LIVE WITH IT.' In general, code can be publicly distributed but, realistically, site-specific. It would perhaps be reasonable to decline to assign CVE IDs for anything in kompanee-recipes because the entire Gem is arguably being published as example code that could be adapted by other organizations, not as a general-use product. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTv7oIAAoJEKllVAevmvmsKcgIAMLvYt3CXRyjdeJXFshRaOjR lw+XRRVez3c3TuuD7fpJdySJgneYIwqhkCPgVrroWsbK1s/9dudWz7urYOgbi3Mc LaFNZlUgM+phWf3mGFUEk3eHWBJ/e1DD7+WMxYzkoh1Rs4NAOoeCnBmDfSv35gaP bp0eVlgzMthvnoOs/EO3eXWmYR+8rD6CNugTvusKXceUa+HZgY+L/F4ijSXaeZbk DTS+ZuMFYHBjAh2tfE9Bel82EqaMLlEzIwFGwLZuJE6spHex26cR1k4fOE6p3wBN BaZi3u8DDe7hG2Dd+ZffIUO2aPh8fqIsd3vxazYHWUKkIvPZsZkYtSj790WrtZ4= =gOdq -----END PGP SIGNATURE-----
Current thread:
- Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 Larry W. Cashdollar (Jul 07)
- Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 cve-assign (Jul 11)
- Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 cve-assign (Jul 15)
- Re: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 Larry Cashdollar (Jul 16)
- Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 cve-assign (Jul 15)
- Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 cve-assign (Jul 11)