oss-sec mailing list archives

Re: Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem

From: Larry Cashdollar <larry0 () me com>
Date: Sun, 01 Sep 2013 13:44:31 -0400

Yes sorry this is for the gem only.


Sent with AquaMail for Android
http://www.aqua-mail.com


On September 1, 2013 12:25:17 PM cve-assign () mitre org wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem
>Download: https://rubygems.org/gems/fog-dragonfly
>
>"Dragonfly is an on-the-fly Rack-based image handling framework. It is
>suitable for use with Rails, Sinatra and other web frameworks.
>
>Unescaped user supplied input is passed to the command line for shell
>execution
>
>fog-dragonfly-0.8.2/lib/dragonfly/imagemagickutils.rb:
>
> 20     def convert(tempobject, args='', format=nil)
> 21       tempfile = newtempfile(format)
> 22       run "#{convertcommand} #{args} #{tempobject.path} #{tempfile.path}"
> 23       tempfile
> 24     end
>
>
> 61     def run(command)

> 62 log.debug("Running command: #{command}") ifImageMagickUtils.log_commands

> 63       begin
> 64         result = #{command}

Use CVE-2013-5671 for this vulnerability in the fog-dragonfly gem. As
far as we can tell, this is a vulnerability in the fog-dragonfly gem,
not a vulnerability in Dragonfly. We found these possibly related
fixes in Dragonfly:

  
https://github.com/markevans/dragonfly/commit/ff141bb1d921fff506084b62a562f7a83d5e01fe#lib/dragonfly/image_magick/utils.rb

  https://github.com/markevans/dragonfly/commit/47f95bd6b8af11fb0a44d6ab1c6f7d00d880cb68

If the unpatched Dragonfly code has a vulnerability in a common use
case, this would require a separate CVE ID.

- -- CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSI2XoAAoJEGvefgSNfHMdv0oH/j0G7m0PMSwn1FvIcVpR39EP
yKTuTfa9I5MSr2DXejQQ+5lhJN7eTJwjOTPETpGOu0BkDgMkRvcuw81PqgVwkWXc
bT8DfNM/cO4vM3UjTJiTKYinVRMl3xsjGVzkwxV0E1mYhjbjrKGNUMgzjNPsSnja
eNYC26v2UDLn3Jw8K7qXTk+ytgFqOE+MiA/KDXBvm6fB1SBOoeeaMGU7NNdCw8A9
95TdYNzYE3JL7V0zz/5oidqkg0hlznK21KR01hUJK0s/U60rdzgA/73O+g8XSP4q
vyqN0ykgSDodfAt6JsONR/5wzaXTmc25ZXaB3wMGG9yUxFZiORzVGSsWJ7mlad0=
=SUlN
-----END PGP SIGNATURE-----

Current thread:

Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem Larry W. Cashdollar (Aug 31)
- Re: Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem cve-assign (Sep 01)
  - Re: Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem Larry Cashdollar (Sep 01)