Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 08 Apr 2013 12:55:37 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Remote Command Injection Ruby Gem Karteek Docsplit
 0.5.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/08/2013 06:56 AM, Larry W. Cashdollar wrote:
> 
> Remote Command Injection Karteek Docsplit 0.5.4
> 
> ------------------------------------------------------------------------
>
>  4/1/2013 Larry W. Cashdollar @_larry0
> 
> User supplied input isn't sanitized against shell metacharacters
> and is fed directly to the shell. If the user is tricked into
> extracting a file with shell characters in the name code can be
> executed remotely.
> 
> https://rubygems.org/gems/karteek-docsplit
> 
> ./karteek-docsplit-0.5.4/lib/docsplit/text_extractor.rb
> 
> 59     def extract_from_ocr(pdf, pages) 60       tempdir =
> Dir.mktmpdir 61       base_path = File.join(@...put, @pdf_name) 62
> if pages 63         pages.each do |page| 64           tiff =
> "*{tempdir}/*{@..._name}_*{page}.tif" 65           file =
> "*{base_path}_*{page}" 66           run "MAGICK*_*TMPDIR=*{tempdir}
> OMP_NUM_THREADS=2 gm convert -despeckle +adjoin #{MEMORY_ARGS}
> #{OCR_FLAGS} *{pdf}[*{page - 1}] #{tiff} 2>&1" 67           run
> "tesseract #{tiff} *{file} -l eng 2>&1" 68
> clean_text(file + '.txt') if @clean_ocr 69
> FileUtils.remove_entry_secure tiff 70         end 71       else 72
> tiff = "*{tempdir}/*{@..._name}.tif" 73         run
> "MAGICK_TMPDIR=*{tempdir} OMP_NUM_THREADS=2 gm convert -despeckle
> #{MEMORY_ARGS} #{OCR_FLAGS} #{pdf} #{tiff} 2>&1" 74         run
> "tesseract #{tiff} #{base_path} -l eng 2>&1" 75
> clean_text(base_path + '.txt') if @clean_ocr 76       end
> 
> Run is defined as:
> 
> 94     def run(command) 95       result = `#{command}` 96
> raise ExtractionFailed, result if $? != 0 97       result 98
> end
> 
> This vulnerability doesn't have a CVE yet assigned.
> 
> http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html


Please use CVE-2013-1933 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRYxKpAAoJEBYNRVNeJnmTzrcP/iaPECr8mJVJvwM4JPeHwfm9
RT0JKcW88hhmKumZJH4Fa/ZMv+ZxXkUfzeTJcoBxCxX26pTeArO6rbuvTt+lP0mi
VYW6eRF8tj8x3G8P4y28MY0I+Gt+RtdYWKT8JIfSZAzCJ2kE3JawJeoWZnPg2DkI
GWHwv4IsFQ3qR7LPTXiR8vssSqmbSz/yGhhxw+j8BQX9jZDIIOa8vLa/VvUcD+4b
o+8Jd2B2z8mtW+0kvOpjS5PWImu6FcW6hIKz3rWuZPwf6V3aFeNUq7o0gQmlTVSQ
zTn4nNzmO2MUwIjhNcs0tY6ZVHA03UxrOhpQlqHqIuF46ZFCeVcJa2abLUJ/LNnP
1chRa6DzdoLXnolOZ+Ar2zZgCe5TTuDqBDAptJiil3x746t5diRENTM3ugIgoHB6
2Yxy2h56FCm/7kUVsxcAfKXhESRW4LlUntRm+/srzzcwC3EaDTSwfZQ6TJ9B3SRN
6aIFdk5Xslh0HIXdopki1N6ARx4TVnuR1Ig+ZAFpt1qpVacagfEeal/FS165XWoW
fFQy3/Tmp17Wzo0OVdRB8QJ9rFUl/+n43QC9YTjY7nMXCqOoB0wi9bQxA24rnYAC
M4cRulVA85Fx9CEYoM6YpPG0BaKBZeFj9V+lp8+iulIrwZhJhPt4XIUE5G82uUpK
6mlvmh9ms2QtESksk/Un
=kBd8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ