Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 02 Aug 2013 23:27:08 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Rgpg Ruby Gem Remote Command Injection (CVE Request)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/2013 01:12 AM, Larry W. Cashdollar wrote:
> Title: *Rgpg Ruby Gem Remote Command Injection*
> 
> 
> Date: 7/31/2013
> 
> 
> Advisory Author: Larry W. Cashdollar, @_larry0
> 
> 
> CVE: TBD
> 
> 
> Download: https://rubygems.org/gems/rgpg
> 
> 
> Description:
> 
> 
> "A simple Ruby wrapper around gpg command for file encryption.
> 
> rgpg is a simple API for interacting with the gpg tool. It is 
> specifically designed to avoid altering global keyring state by
> creating temporary public and secret keyrings on the fly for
> encryption and decryption."
> 
> 
> Vulnerability:
> 
> 
> The following code snippet does not sanitize user supplied input
> before passing it to the System () function for execution. If this
> API is used in the context of a rails application remote commands
> can be injected into the shell if the user supplies shell meta
> characters like ; and &.
> 
> in lib/rgpg/gpg_helper.rb:
> 
> 68       begin 69         output/file.close 70         result =
> system("#{command/line} > #{output_file.path} 2>&1") 71
> ensure
> 
> Author: Notified 8/1/2013.
> 
> 
> Fixed: in 0.2.3. 8/1/2013.
> 
> 
> Greets to all@...CON21.
> 

Please use CVE-2013-4203 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR/JSsAAoJEBYNRVNeJnmTJ1UP/i07yMMuth0XEJjDoyWGb0AK
ov+h6eAEBS0GmCwwzyP71J0bZiGhJ3OVpfD9+gFCYwlJRrgQPG1fCfxTbg2jMuZG
NmrmPbNvNA4P4EdmQrAd8B52c0Bj+HsBm43vC1BkBcgL91KK3JzcqzOy+LGfa2tL
VJYmrzBPkbCYGYe1e6pSYKsOuFMQ2epBbaV4K5nnJBr8SVL1hE7PC06f4rsRwsDg
N7Mn4g9+L+cChRxe464U3jJh1fc7kM/UW2pe50Lqf7gJXi5H2WdNimS0STrzZxcN
dTlufNylobuIwAQXJ2ZfQ19JCLCm49JFLDDXbKcbvFPsKmZ7OS9GTZP423M5eUN9
UnI30FF9SkmU1mWh9+o6xxO9BfLz40cRhYsk++oln48djVpjvJcyzklpbwieRh4A
9KO2T5txo5pl6jt20mzzQZyuatsl1mfQCIQ1ltxOqNXzs1Bw7km7jQWCP3qeZjMD
NRtrOagtzFf01oX7b/hUNKxpdN/fwJciSf737eAsi8ys6KJJMwWbO+u8Hq8JtK/O
LULbsUGIPgcih5mpLj7d9+d5zlRc8WcNwYHwNeFon2BQFYuIHzJ72ErDQzGIi4Ly
oS9EwxfoQX/6WJw2yQSvs7wUiOyxWIPKunPOnm8OYrBmxiVbiVLllEhylMf40f02
RgKNyJnxWZPPEFf/XkUM
=KV4E
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ