Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 23:12:12 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE request: Content type spoofing in ruby gem paperclip <4.2.2

OSVDB noticed that this seems to be CVE-2015-2963

http://jvn.jp/en/jp/JVN83881261/index.html (no idea why they call it an
XSS)

https://robots.thoughtbot.com/paperclip-security-release is the official
notification and just references the commit message.

~reed

On Thu, Jun 18, 2015 at 1:56 AM, Reed Loden <reed@...dloden.com> wrote:

> Saw this in paperclip's NEWS file, and I couldn't find a CVE for it.
>
>
> https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57
>
> """"
> There is an issue where if an HTML file is uploaded with a .html
> extension, but the content type is listed as being `image/jpeg`, this
> will bypass a validation checking for images. But it will also pass the
> spoof check, because a file named .html and containing actual HTML
> passes the spoof check.
>
> This change makes it so that we also check the supplied content type. So
> even if the file contains HTML and ends with .html, it doesn't match the
> content type of `image/jpeg` and so it fails.
> """"
>
> Fixed in paperclip 4.2.2.
>
> ~reed
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ