Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Jan 2016 17:09:15 -0800
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Subject: Remote Command Injection in Ruby Gem colorscore <=0.0.4

Title: Remote Command Injection in Ruby Gem colorscore <=0.0.4

Description: Finds the dominant colors in an image and scores them against
a user-defined palette, using the CIE2000 Delta E formula.

Homepage: https://github.com/quadule/colorscore

Download: https://rubygems.org/gems/colorscore

Affected versions: All (<=0.0.4 currently)

Vulnerability:
The contents of the `image_path`, `colors`, and `depth` variables generated
from possibly user-supplied input are passed directly to the shell on line
4. If a user supplies a value that includes shell metacharacters such as
';', an attacker may be able to execute shell commands on the remote system
as the user id of the Ruby process.

To resolve this issue, the aforementioned variables (especially
`image_path`) must be sanitized for shell metacharacters.

1  module Colorscore
2    class Histogram
3      def initialize(image_path, colors=16, depth=8)
4        output = `convert #{image_path} -resize 400x400 -format %c -dither
None -quantize YIQ -colors #{colors} -depth #{depth} histogram:info:-`
5        @lines = output.lines.sort.reverse.map(&:strip).reject(&:empty?)
6      end

CVE: CVE-2015-7541

Credits: Dirk Zittersteyn (@...ttersteyn)

History:
* 2015-12-04 -- Vendor notified
* 2015-12-05 -- CVE requested
* 2016-01-04 -- Publicly disclosed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ