oss-sec mailing list archives

Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4

From: cve-assign () mitre org
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are not sure of the best way to interpret statements such as

If this Gem is used in the context of a Rails application it maybe
possible for a remote user to inject commands into the shell via
#{password} #{user} #{deploy_name} #{application} variables if that
data is user supplied.


At this level, one question might be: is it possible that this Gem
wasn't ever intended to be used in the context of a Rails application?
(This question may also apply to some other recent CVE requests.)

At a slightly higher level:

http://rubygems.org/gems/kompanee-recipes says "These are the common
recipes we've been using here at The Kompanee." It seems unclear
whether this is really intended to have widespread use as-is except by
thekompanee.com insiders. For example, parts of it seem highly
site-specific such as lib/kompanee-recipes/bash.rb "This will install
a more secure SSH environment ... it will ... change the default
port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config
/etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets
intelligent defaults for Kompanee Rackspace deployments ... :domain,
"thekompanee.com" ... :server_ip, "174.143.212.245" ... Most of these
values can be overridden in each application's deploy.rb file.
Unfortunately some of them can't be such as :scm but they're our
recipies so... LIVE WITH IT.'

In general, code can be publicly distributed but, realistically,
site-specific. It would perhaps be reasonable to decline to assign CVE
IDs for anything in kompanee-recipes because the entire Gem is
arguably being published as example code that could be adapted by
other organizations, not as a general-use product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTv7oIAAoJEKllVAevmvmsKcgIAMLvYt3CXRyjdeJXFshRaOjR
lw+XRRVez3c3TuuD7fpJdySJgneYIwqhkCPgVrroWsbK1s/9dudWz7urYOgbi3Mc
LaFNZlUgM+phWf3mGFUEk3eHWBJ/e1DD7+WMxYzkoh1Rs4NAOoeCnBmDfSv35gaP
bp0eVlgzMthvnoOs/EO3eXWmYR+8rD6CNugTvusKXceUa+HZgY+L/F4ijSXaeZbk
DTS+ZuMFYHBjAh2tfE9Bel82EqaMLlEzIwFGwLZuJE6spHex26cR1k4fOE6p3wBN
BaZi3u8DDe7hG2Dd+ZffIUO2aPh8fqIsd3vxazYHWUKkIvPZsZkYtSj790WrtZ4=
=gOdq
-----END PGP SIGNATURE-----

Current thread:

Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 Larry W. Cashdollar (Jul 07)
- Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 cve-assign (Jul 11)
  - Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 cve-assign (Jul 15)
    - Re: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 Larry Cashdollar (Jul 16)