Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 May 2013 13:17:40 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Remote command Injection in Creme Fraiche 0.6
 Ruby Gem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/14/2013 10:59 AM, Larry W. Cashdollar wrote:
> TITLE: *Remote command Injection in Creme Fraiche 0.6 Ruby Gem*
> 
> DATE: 5/14/2013
> 
> AUTHOR: Larry W. Cashdollar (@_larry0)
> 
> DOWNLOAD: http://rubygems.org/gems/cremefraiche, 
> http://www.uplawski.eu/technology/cremefraiche/
> 
> DESCRIPTION: Converts Email to PDF files.
> 
> VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013
> 
> FIX: In Version 0.6.1
> 
> CVE: TBD (please assign?)
> 
> DETAILS: The following lines pass unsanitized user input directly
> to the command line.
> 
> A malicious email attachment with a file name consisting of shell 
> metacharacters could inject commands into the shell.
> 
> If the attacker is allowed to specify a filename (via a web gui) 
> commands could be injected that way as well.
> 
> 218 cmd = "pdftk %s update/info %s output %s" %[pdf, info/file,
> t/file] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftk/result
> = system( cmd)
> 
> 
> GREETINGS:
> @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and
> @attritionorg
> 
> ADVISORY:
> http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html
> 

Please use CVE-2013-2090 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRko3UAAoJEBYNRVNeJnmTytsP/0o3nhU7ZgjyPX8RXjlpJ/ub
sBgcAAv/Zl+x2jntMqnqlNWGPYIRvGrmAKJqxOk+4zdjjd5C/kL/HoW8msM5M2p+
U2V1irC/+YJ1+CY4Em9jPrfAQhE8KqOSBoqbPy3hG15yo65RIR2Bn4dz3dSZKk8x
R2SDTCiqO9LuP3wAYjwxHEQ8d4H0M8QZ/CwuSGFFKB6GRejZHFVXNYxKoiAxqU2u
T8nh1rbjKAoe0JeJVuNW6rqPtpPrJgT0X7Q6xAzNtoyRYjO6EnQmloWqXiX7YoGA
Vuukjt7wpzAWjYxkLZxGY3zGNJ1QhNm1L5+/bDRUCKLT3/h3HgliDo/OBGP8jQ2x
77+lsp2un6DF5iFmCRncaTURTWN9OBD7nKHZvxVtoPAWRfW4CgUSoKjRt1dT/29h
Bz2b+Xc7/IJo4z7AB8kkseE2gdpjUzot+yEzBvCTKbFOHOhZoMRJ4yfL8QexZ8wK
o2uym+OVX/2vLGZVlMF48m5LJShWxykwNjMSk1uolTyTXGRfsvRiU2MTGAGw51fZ
wWmBtHOfEhMF7D+6tEqTe3T1hi/79l1Iu06X//GS0q0+UO8aUBJGz9oalil6TZDU
tA38nMX1eEU12hJKj22oACAUfaDDTukHA0SSgyCHOmXWkIzwJRXzQo6jI6cBymDs
MdyaHEUbaTVtQlQilqp8
=pHRy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.