Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 31 Mar 2013 15:36:43 -0400
From: Larry Cashdollar <larry0@...com>
To: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>
Cc: Packet Storm <packet@...ketstormsecurity.org>
Subject: Re: Remote command execution in Ruby Gem ldoce 0.0.2

Oh, sorry here it is:

http://rubygems.org/gems/ldoce


Sent with AquaMail for Android
http://www.aqua-mail.com


On March 31, 2013 3:23:00 PM Kurt Seifried <kseifried@...hat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/31/2013 10:11 AM, Larry W. Cashdollar wrote:
> >
> > Remote command execution in Ruby Gem ldoce 0.0.2
> >
> > /Larry W. Cashdollar @_larry0 3/25/2013/
> > ------------------------------------------------------------------------
> >
> >  Ldoce Ruby Gem:
> >
> > Easily interface with the Longman Dictionary of Contemporary
> > English API from Ruby:
> >
> > NB currently mac only as it depends on the afplay command.
> >
> > https://github.com/markburns/ldoce
> >
> > Ldoce passes an mp3 url to commandline for audio output of the
> > pronunciation of a dictonary word:
> >
> > If the URL or filename for the mp3 files contain shell
> > metacharacters code can be executed remotely as the client:
> >
> > [./ldoce-0.0.2/lib/ldoce/word.rb]
> >
> > if mp3? unless File.exists? filename command = "curl #{mp3_url}
> > -silent > {filename}" `{command}` end `afplay #{filename}` end
> >
>
> Just one note, can you include the link (if available) to the gem on
> the rubygems.org site (which where most people seem to get their gems).
>
> Please use CVE-2013-1911 for this issue.
>
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJRWI0UAAoJEBYNRVNeJnmTrHMP/RDKi6LHT+t0viJZy2zsqftQ
> W87AvNUOpUGDx1ip78No/ymXwHgWiFLoH+n6I4GpPZ4CuTfUlWos9kRJ0GpWFPZi
> nwMsJvgMh7ZEtHUHR+aVssvbwTTU5P2bKkCM5ishVTwKYtFTHQECHzSd44OE5/D5
> zqQN+mYTIh+tW71LIG0NVwUJuazgi/Z0rA9Bv03X31Vja7G/83/R44IrTGS6eXG+
> 0Ymmfpmfiy+2cdTjnVPKq+zVTVwLyMoPDTouzP3wbsERxrMXEQEqSlo4JtDZQUcC
> cjrIk9mOp4tJ2spS2ez1duIAJGKDKUNlL+44GKTOCjAEZmGorDoDo+Iv/XsPcEXS
> azxhlx3ikJjMByKcQfe9c9aVJJj6vHOzUNbTkFyC4bDWT3CbDLmuZtN+WHtfNpE8
> xUOGxlvWLDwtunFRVVrGinZfg7QetcWyI7KBr6QGLMyRPNshOhi4iKABtmpF5VxP
> M7Qo8t9v0V3E3fhjo053E6g4zG33JidBPP8B4WJ3dX6yJWYb1GAB+EHUTQh48Yub
> PBJgqgeuQdTJu0JLkbKj0YTyrQRdg8Jo8pCDdhodeModsC+iHY/brvKjYVjoZVxH
> IKf2ga6p6apAL2ZCKGzO6dfpXF02SxaTzaaEuIJOx5KDMws8BfxJ+mPFQ6AU1DC7
> dOZVOFV7G9DFkA2ER8gy
> =9PGv
> -----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ