Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)
From: cve-assign@...re.org
To: larry0@...com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are not sure of the best way to interpret statements such as

> If this Gem is used in the context of a Rails application it maybe
> possible for a remote user to inject commands into the shell via
> #{password} #{user} #{deploy_name} #{application} variables if that
> data is user supplied.

At this level, one question might be: is it possible that this Gem
wasn't ever intended to be used in the context of a Rails application?
(This question may also apply to some other recent CVE requests.)

At a slightly higher level:

http://rubygems.org/gems/kompanee-recipes says "These are the common
recipes we've been using here at The Kompanee." It seems unclear
whether this is really intended to have widespread use as-is except by
thekompanee.com insiders. For example, parts of it seem highly
site-specific such as lib/kompanee-recipes/bash.rb "This will install
a more secure SSH environment ... it will ... change the default
port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config
/etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets
intelligent defaults for Kompanee Rackspace deployments ... :domain,
"thekompanee.com" ... :server_ip, "174.143.212.245" ... Most of these
values can be overridden in each application's deploy.rb file.
Unfortunately some of them can't be such as :scm but they're our
recipies so... LIVE WITH IT.'

In general, code can be publicly distributed but, realistically,
site-specific. It would perhaps be reasonable to decline to assign CVE
IDs for anything in kompanee-recipes because the entire Gem is
arguably being published as example code that could be adapted by
other organizations, not as a general-use product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTv7oIAAoJEKllVAevmvmsKcgIAMLvYt3CXRyjdeJXFshRaOjR
lw+XRRVez3c3TuuD7fpJdySJgneYIwqhkCPgVrroWsbK1s/9dudWz7urYOgbi3Mc
LaFNZlUgM+phWf3mGFUEk3eHWBJ/e1DD7+WMxYzkoh1Rs4NAOoeCnBmDfSv35gaP
bp0eVlgzMthvnoOs/EO3eXWmYR+8rD6CNugTvusKXceUa+HZgY+L/F4ijSXaeZbk
DTS+ZuMFYHBjAh2tfE9Bel82EqaMLlEzIwFGwLZuJE6spHex26cR1k4fOE6p3wBN
BaZi3u8DDe7hG2Dd+ZffIUO2aPh8fqIsd3vxazYHWUKkIvPZsZkYtSj790WrtZ4=
=gOdq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.