Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4

["Larry W. Cashdollar" <larry0 () me com>]

Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4

4/1/2013
Larry W. Cashdollar
@_larry0

User supplied input isn't sanitized against shell metacharacters and is fed directly to the shell. If the user is 
tricked into extracting a file with shell characters in the name code can be executed remotely.

https://rubygems.org/gems/karteek-docsplit

./karteek-docsplit-0.5.4/lib/docsplit/text_extractor.rb

59     def extract_from_ocr(pdf, pages)
60       tempdir = Dir.mktmpdir
61       base_path = File.join(@output, @pdf_name)
62       if pages
63         pages.each do |page|
64           tiff = "{tempdir}/{@pdf_name}{page}.tif"
65           file = "{basepath}{page}"
66           run "MAGICKTMPDIR={tempdir} OMP_NUM_THREADS=2 gm convert -despeckle +adjoin #{MEMORY_ARGS} #{OCR_FLAGS} {pdf}[{page - 
1}] #{tiff} 2>&1"
67           run "tesseract #{tiff} {file} -l eng 2>&1"
68           clean_text(file + '.txt') if @clean_ocr
69           FileUtils.remove_entry_secure tiff
70         end
71       else
72         tiff = "{tempdir}/{@pdf_name}.tif"
73         run "MAGICK_TMPDIR={tempdir} OMP_NUM_THREADS=2 gm convert -despeckle #{MEMORY_ARGS} #{OCR_FLAGS} #{pdf} #{tiff} 
2>&1"
74         run "tesseract #{tiff} #{base_path} -l eng 2>&1"
75         clean_text(base_path + '.txt') if @clean_ocr
76       end

Run is defined as:

94     def run(command)
95       result = `#{command}`
96       raise ExtractionFailed, result if $? != 0
97       result
98     end

This vulnerability has been assigned CVE-2013-1933.

http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/