Date: Tue, 29 Oct 2013 22:56:26 -0600 From: Kurt Seifried <kseifried@...hat.com> To: mmcallis@...hat.com, oss-security@...ts.openwall.com CC: carnil@...ian.org Subject: Re: CVE Request: sup MUA Command Injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/29/2013 08:26 PM, Murray McAllister wrote: > On 10/30/2013 07:44 AM, Kurt Seifried wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 10/29/2013 01:30 PM, Salvatore Bonaccorso wrote: >>> Hi, >>> >>> On full-disclosure list there was reported a command injection >>> vulnerability in 'sup', a console-based email client. >>> >>>  >>> http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html >>> >>>  http://seclists.org/fulldisclosure/2013/Oct/272 >>> >>> For reference quoting the upstream announce: >>> >>> ----cut---------cut---------cut---------cut---------cut---------cut----- >>> >>> >> >>> Greetings, >>> >>> Security advisory (#SBU1) for Sup >>> >>> We have been notified of an potential exploit in the somewhat >>> careless way Sup treats attachment metadata in received >>> e-mails. The issues should now be fixed and I have released Sup >>> 0.13.2.1 and 0.14.1.1 which incorporates these fixes. Please >>> upgrade immediately and also ensure that your mime-decode or >>> mime-view hooks are secure , . >>> >>> This is specifically related to using quotes (',") around >>> filename or content_type which is already escaped using Ruby >>> Shellwords.escape - this means that the string (content_type, >>> filename) is intended to be used _without_ any further quotes. >>> Please make sure that if you use .mailcap (non OSX systems), >>> you do not quote the string. >>> >>> Credit goes to: joernchen of Phenoelit (http://phenoelit.de) >>> who discovered and suggested fixes for these issues. >>> >>>  >>> https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments >>>  >>> https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup >>> >>> You can use 'gem' to upgrade or install sup. Please report any >>> issues to: https://github.com/sup-heliotrope/sup/issues >>> >>> Regards, Gaute >>> ----cut---------cut---------cut---------cut---------cut---------cut----- >>> >>> >>> Upstream fixed (as mentioned in announce) the issue in 0.13.2.1 >>> and 0.14.1.1. Commits: >>> >>>  >>> https://github.com/sup-heliotrope/sup/compare/release-0.13.2...release-0.13.2.1 >>> >>> >>> >> >>>  >> https://github.com/sup-heliotrope/sup/compare/release-0.14.1...release-0.14.1.1 >> >>> >>> >> Could a CVE be assigned for this issue? >>> >>> Regards, Salvatore >>> >> >> Please use CVE-2013-4478 for this issue. > > To confirm, is this CVE for both the content_type issue and the > filename issue? > > Thanks, > > -- Murray McAllister / Red Hat Security Response Team CVE-2013-4478 is for the issue specifically covered in http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt which is https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785 (security: shellwords escape attachment file names to prevent remote code execution). I missed that they fixed a second issue: https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42 (security: prevent remote command injection in content_type) Pleas use CVE-2013-4479 for this - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJScJF5AAoJEBYNRVNeJnmT57MQANYex5v0uoNLQ6LfkHM16hnH quIf0urWlIC/CwY9KfkON8rh3seP1J9H+0iDcdOIzxCvDqFUXMTY4gJU5G1j1DDh SDoXoMW94kzW8xWb8tTJWqqfzSXb/teOUtlqPdcbzper15OjU6R6Ga9wJ6zzuQQZ w8dVH27oskgqmEplu/2vT+uop4JIv0fR0um6QiWdKHEpfGsAVjrm81OhEW519cvn H4FNSzgNl4Q+KuF3V1cZBsFDT/bCmm+MrMMYccAVn+anGV62H4Az8wM7aaDU4aTZ /mhiPgoNxtRbE+NzeAGDbNw9gsNtOzSRI+/t/rd605z3hhwwfNlF0MCyU1wiGhjF K2KjKnil4VlyUewjxNhLJRVzJ6wrJtKOrQi/od6eBN6Hv3AJhrK7RqmnzxBWlRQ1 1/JBRL5qJiYquesgMwd4GPrhpar04p38+FMYnWbCcNkuAlqoNiivI8yt2knvLRKr mDjJAJY7FlxWd7Flz0/6GfPj3U0lxRn0vEFEPmy+BhnYZY5qnoP/77Kv1tuyWcbj /gzhrGTtkrNMaBEvYJ3UQtKCYlCRpQCvnWnQ9X/aG3aEGUPfxsVCWb42vht66AWg 03n0GVAjtf7mWgFJ9KVVEgRf0oId6AJcSAGMSmnPqsrT55d7x84tTycqR0SRZ0Fo jWuwNu4O8S4oj9Z350z/ =Zaxg -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ