oss-sec mailing list archives

Re: Remote command Injection in Creme Fraiche 0.6 Ruby Gem

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 14 May 2013 13:17:40 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/14/2013 10:59 AM, Larry W. Cashdollar wrote:

TITLE: *Remote command Injection in Creme Fraiche 0.6 Ruby Gem*

DATE: 5/14/2013

AUTHOR: Larry W. Cashdollar (@_larry0)

DOWNLOAD: http://rubygems.org/gems/cremefraiche, 
http://www.uplawski.eu/technology/cremefraiche/

DESCRIPTION: Converts Email to PDF files.

VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013

FIX: In Version 0.6.1

CVE: TBD (please assign?)

DETAILS: The following lines pass unsanitized user input directly
to the command line.

A malicious email attachment with a file name consisting of shell 
metacharacters could inject commands into the shell.

If the attacker is allowed to specify a filename (via a web gui) 
commands could be injected that way as well.

218 cmd = "pdftk %s update/info %s output %s" %[pdf, info/file,
t/file] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftk/result
= system( cmd)


GREETINGS:
@vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and
@attritionorg

ADVISORY:
http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html


Please use CVE-2013-2090 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRko3UAAoJEBYNRVNeJnmTytsP/0o3nhU7ZgjyPX8RXjlpJ/ub
sBgcAAv/Zl+x2jntMqnqlNWGPYIRvGrmAKJqxOk+4zdjjd5C/kL/HoW8msM5M2p+
U2V1irC/+YJ1+CY4Em9jPrfAQhE8KqOSBoqbPy3hG15yo65RIR2Bn4dz3dSZKk8x
R2SDTCiqO9LuP3wAYjwxHEQ8d4H0M8QZ/CwuSGFFKB6GRejZHFVXNYxKoiAxqU2u
T8nh1rbjKAoe0JeJVuNW6rqPtpPrJgT0X7Q6xAzNtoyRYjO6EnQmloWqXiX7YoGA
Vuukjt7wpzAWjYxkLZxGY3zGNJ1QhNm1L5+/bDRUCKLT3/h3HgliDo/OBGP8jQ2x
77+lsp2un6DF5iFmCRncaTURTWN9OBD7nKHZvxVtoPAWRfW4CgUSoKjRt1dT/29h
Bz2b+Xc7/IJo4z7AB8kkseE2gdpjUzot+yEzBvCTKbFOHOhZoMRJ4yfL8QexZ8wK
o2uym+OVX/2vLGZVlMF48m5LJShWxykwNjMSk1uolTyTXGRfsvRiU2MTGAGw51fZ
wWmBtHOfEhMF7D+6tEqTe3T1hi/79l1Iu06X//GS0q0+UO8aUBJGz9oalil6TZDU
tA38nMX1eEU12hJKj22oACAUfaDDTukHA0SSgyCHOmXWkIzwJRXzQo6jI6cBymDs
MdyaHEUbaTVtQlQilqp8
=pHRy
-----END PGP SIGNATURE-----

Current thread:

Remote command Injection in Creme Fraiche 0.6 Ruby Gem Larry W. Cashdollar (May 14)
- Re: Remote command Injection in Creme Fraiche 0.6 Ruby Gem Kurt Seifried (May 14)