Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)
From: cve-assign@...re.org
To: larry0@...com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are not sure of the best way to interpret statements such as

> If this Gem is used in the context of a Rails application it maybe
> possible for a remote user to inject commands into the shell via
> #{password} #{user} #{deploy_name} #{application} variables if that
> data is user supplied.

At this level, one question might be: is it possible that this Gem
wasn't ever intended to be used in the context of a Rails application?
(This question may also apply to some other recent CVE requests.)

At a slightly higher level:

http://rubygems.org/gems/kompanee-recipes says "These are the common
recipes we've been using here at The Kompanee." It seems unclear
whether this is really intended to have widespread use as-is except by
thekompanee.com insiders. For example, parts of it seem highly
site-specific such as lib/kompanee-recipes/bash.rb "This will install
a more secure SSH environment ... it will ... change the default
port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config
/etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets
intelligent defaults for Kompanee Rackspace deployments ... :domain,
"thekompanee.com" ... :server_ip, "174.143.212.245" ... Most of these
values can be overridden in each application's deploy.rb file.
Unfortunately some of them can't be such as :scm but they're our
recipies so... LIVE WITH IT.'

In general, code can be publicly distributed but, realistically,
site-specific. It would perhaps be reasonable to decline to assign CVE
IDs for anything in kompanee-recipes because the entire Gem is
arguably being published as example code that could be adapted by
other organizations, not as a general-use product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTv7oIAAoJEKllVAevmvmsKcgIAMLvYt3CXRyjdeJXFshRaOjR
lw+XRRVez3c3TuuD7fpJdySJgneYIwqhkCPgVrroWsbK1s/9dudWz7urYOgbi3Mc
LaFNZlUgM+phWf3mGFUEk3eHWBJ/e1DD7+WMxYzkoh1Rs4NAOoeCnBmDfSv35gaP
bp0eVlgzMthvnoOs/EO3eXWmYR+8rD6CNugTvusKXceUa+HZgY+L/F4ijSXaeZbk
DTS+ZuMFYHBjAh2tfE9Bel82EqaMLlEzIwFGwLZuJE6spHex26cR1k4fOE6p3wBN
BaZi3u8DDe7hG2Dd+ZffIUO2aPh8fqIsd3vxazYHWUKkIvPZsZkYtSj790WrtZ4=
=gOdq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ