Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon,  7 Jul 2014 14:14:03 -0400 (EDT)
From: larry0@...com (Larry W. Cashdollar)
To: <oss-security@...ts.openwall.com>
Subject: Vulnerability Report for Ruby Gem gyazo-1.0.0

Title: Vulnerability Report for Ruby Gem gyazo-1.0.0

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108563

CVE:Please Assign

Download: http://rubygems.org/gems/gyazo

Gem Author:  masui@...ecan.com

From: ./gyazo-1.0.0/lib/gyazo/client.rb

If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and
#{tmpfile} using shell meta characters like ; and sending an escaped \".

0through the #{imagefile} name if the raw option is not set.  Also file names are time based and predictable leading
to file clobbering vulnerabilities as the running process username.
 57       unless opts[:raw]
 58         tmpfile = "/tmp/gyazo_upload_#{Time.now.to_i}_#{Time.now.usec}.png"
 59         if File.exist? imagefile
 60           system "sips -s format png \"#{imagefile}\" --out \"#{tmpfile}\" > /dev/null"
 61         end
 62       end


Advisory: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.