Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)
Subject: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4

Hash: SHA1

We are not sure of the best way to interpret statements such as

> If this Gem is used in the context of a Rails application it maybe
> possible for a remote user to inject commands into the shell via
> #{password} #{user} #{deploy_name} #{application} variables if that
> data is user supplied.

At this level, one question might be: is it possible that this Gem
wasn't ever intended to be used in the context of a Rails application?
(This question may also apply to some other recent CVE requests.)

At a slightly higher level: says "These are the common
recipes we've been using here at The Kompanee." It seems unclear
whether this is really intended to have widespread use as-is except by insiders. For example, parts of it seem highly
site-specific such as lib/kompanee-recipes/bash.rb "This will install
a more secure SSH environment ... it will ... change the default
port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config
/etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets
intelligent defaults for Kompanee Rackspace deployments ... :domain,
"" ... :server_ip, "" ... Most of these
values can be overridden in each application's deploy.rb file.
Unfortunately some of them can't be such as :scm but they're our
recipies so... LIVE WITH IT.'

In general, code can be publicly distributed but, realistically,
site-specific. It would perhaps be reasonable to decline to assign CVE
IDs for anything in kompanee-recipes because the entire Gem is
arguably being published as example code that could be adapted by
other organizations, not as a general-use product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ