oss-sec mailing list archives
Vulnerability Report for Ruby Gem ciborg-3.0.0
From: larry0 () me com (Larry W. Cashdollar)
Date: Mon, 7 Jul 2014 14:15:00 -0400 (EDT)
Title: Vulnerability Report for Ruby Gem ciborg-3.0.0 Author: Larry W. Cashdollar, @_larry0 Date: 06/01/2014 OSVDB: 108586 CVE:Please Assign Download: http://rubygems.org/gems/ciborg Gem Author: commoncode () pivotallabs com From: ./ciborg-3.0.0/chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb There is a /tmp file race condition when creating /tmp/perlbrew-installer if a malicious local user creates the file first they can overwrite the contents with their own code executing it as the ciborg process owner. 014: curl -s https://raw.github.com/gugod/App-perlbrew/master/perlbrew-install -o /tmp/perlbrew-installer 15: chmod +x /tmp/perlbrew-installer 16: /tmp/perlbrew-installer Advisory: http://www.vapid.dhs.org/advisories/ciborg-3.0.0.html
Current thread:
- Vulnerability Report for Ruby Gem ciborg-3.0.0 Larry W. Cashdollar (Jul 07)