oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability Report for Ruby Gem gyazo-1.0.0

From: larry0 () me com (Larry W. Cashdollar)
Date: Mon, 7 Jul 2014 14:14:03 -0400 (EDT)
Title: Vulnerability Report for Ruby Gem gyazo-1.0.0

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108563

CVE:Please Assign

Download: http://rubygems.org/gems/gyazo

Gem Author:  masui () pitecan com

From: ./gyazo-1.0.0/lib/gyazo/client.rb

If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and
#{tmpfile} using shell meta characters like ; and sending an escaped \".

0through the #{imagefile} name if the raw option is not set.  Also file names are time based and predictable leading
to file clobbering vulnerabilities as the running process username.
 57       unless opts[:raw]
 58         tmpfile = "/tmp/gyazo_upload_#{Time.now.to_i}_#{Time.now.usec}.png"
 59         if File.exist? imagefile
 60           system "sips -s format png \"#{imagefile}\" --out \"#{tmpfile}\" > /dev/null"
 61         end
 62       end


Advisory: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Previous By Date Next
Previous By Thread Next

Current thread: