Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Oct 2013 20:30:08 +0100
From: Salvatore Bonaccorso <>
Subject: CVE Request: sup MUA Command Injection


On full-disclosure list there was reported a command injection
vulnerability in 'sup', a console-based email client.


For reference quoting the upstream announce:


Security advisory (#SBU1) for Sup

We have been notified of an potential exploit in the somewhat careless
way Sup treats attachment metadata in received e-mails. The issues
should now be fixed and I have released Sup and which
incorporates these fixes. Please upgrade immediately and also ensure
that your mime-decode or mime-view hooks are secure [0], [1].

This is specifically related to using quotes (',") around filename or
content_type which is already escaped using Ruby Shellwords.escape -
this means that the string (content_type, filename) is intended to be
used _without_ any further quotes. Please make sure that if you use
.mailcap (non OSX systems), you do not quote the string.

Credit goes to: joernchen of Phenoelit ( who
discovered and suggested fixes for these issues.


You can use 'gem' to upgrade or install sup. Please report any issues

Regards, Gaute

Upstream fixed (as mentioned in announce) the issue in and Commits:


Could a CVE be assigned for this issue?


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.