CVE Request: sup MUA Command Injection

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On full-disclosure list there was reported a command injection
vulnerability in 'sup', a console-based email client.

 [0] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
 [1] http://seclists.org/fulldisclosure/2013/Oct/272

For reference quoting the upstream announce:

----cut---------cut---------cut---------cut---------cut---------cut-----
Greetings,

Security advisory (#SBU1) for Sup

We have been notified of an potential exploit in the somewhat careless
way Sup treats attachment metadata in received e-mails. The issues
should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
incorporates these fixes. Please upgrade immediately and also ensure
that your mime-decode or mime-view hooks are secure [0], [1].

This is specifically related to using quotes (',") around filename or
content_type which is already escaped using Ruby Shellwords.escape -
this means that the string (content_type, filename) is intended to be
used _without_ any further quotes. Please make sure that if you use
.mailcap (non OSX systems), you do not quote the string.

Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
discovered and suggested fixes for these issues.

[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup

You can use 'gem' to upgrade or install sup. Please report any issues
to: https://github.com/sup-heliotrope/sup/issues

Regards, Gaute
----cut---------cut---------cut---------cut---------cut---------cut-----

Upstream fixed (as mentioned in announce) the issue in 0.13.2.1 and
0.14.1.1. Commits:

 [2] https://github.com/sup-heliotrope/sup/compare/release-0.13.2...release-0.13.2.1
 [3] https://github.com/sup-heliotrope/sup/compare/release-0.14.1...release-0.14.1.1

Could a CVE be assigned for this issue?

Regards,
Salvatore