Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 May 2013 13:17:40 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Remote command Injection in Creme Fraiche 0.6
 Ruby Gem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/14/2013 10:59 AM, Larry W. Cashdollar wrote:
> TITLE: *Remote command Injection in Creme Fraiche 0.6 Ruby Gem*
> 
> DATE: 5/14/2013
> 
> AUTHOR: Larry W. Cashdollar (@_larry0)
> 
> DOWNLOAD: http://rubygems.org/gems/cremefraiche, 
> http://www.uplawski.eu/technology/cremefraiche/
> 
> DESCRIPTION: Converts Email to PDF files.
> 
> VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013
> 
> FIX: In Version 0.6.1
> 
> CVE: TBD (please assign?)
> 
> DETAILS: The following lines pass unsanitized user input directly
> to the command line.
> 
> A malicious email attachment with a file name consisting of shell 
> metacharacters could inject commands into the shell.
> 
> If the attacker is allowed to specify a filename (via a web gui) 
> commands could be injected that way as well.
> 
> 218 cmd = "pdftk %s update/info %s output %s" %[pdf, info/file,
> t/file] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftk/result
> = system( cmd)
> 
> 
> GREETINGS:
> @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and
> @attritionorg
> 
> ADVISORY:
> http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html
> 

Please use CVE-2013-2090 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRko3UAAoJEBYNRVNeJnmTytsP/0o3nhU7ZgjyPX8RXjlpJ/ub
sBgcAAv/Zl+x2jntMqnqlNWGPYIRvGrmAKJqxOk+4zdjjd5C/kL/HoW8msM5M2p+
U2V1irC/+YJ1+CY4Em9jPrfAQhE8KqOSBoqbPy3hG15yo65RIR2Bn4dz3dSZKk8x
R2SDTCiqO9LuP3wAYjwxHEQ8d4H0M8QZ/CwuSGFFKB6GRejZHFVXNYxKoiAxqU2u
T8nh1rbjKAoe0JeJVuNW6rqPtpPrJgT0X7Q6xAzNtoyRYjO6EnQmloWqXiX7YoGA
Vuukjt7wpzAWjYxkLZxGY3zGNJ1QhNm1L5+/bDRUCKLT3/h3HgliDo/OBGP8jQ2x
77+lsp2un6DF5iFmCRncaTURTWN9OBD7nKHZvxVtoPAWRfW4CgUSoKjRt1dT/29h
Bz2b+Xc7/IJo4z7AB8kkseE2gdpjUzot+yEzBvCTKbFOHOhZoMRJ4yfL8QexZ8wK
o2uym+OVX/2vLGZVlMF48m5LJShWxykwNjMSk1uolTyTXGRfsvRiU2MTGAGw51fZ
wWmBtHOfEhMF7D+6tEqTe3T1hi/79l1Iu06X//GS0q0+UO8aUBJGz9oalil6TZDU
tA38nMX1eEU12hJKj22oACAUfaDDTukHA0SSgyCHOmXWkIzwJRXzQo6jI6cBymDs
MdyaHEUbaTVtQlQilqp8
=pHRy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.