oss-sec mailing list archives
Vulnerability Report for Ruby Gem gyazo-1.0.0
From: larry0 () me com (Larry W. Cashdollar)
Date: Mon, 7 Jul 2014 14:14:03 -0400 (EDT)
Title: Vulnerability Report for Ruby Gem gyazo-1.0.0 Author: Larry W. Cashdollar, @_larry0 Date: 06/01/2014 OSVDB: 108563 CVE:Please Assign Download: http://rubygems.org/gems/gyazo Gem Author: masui () pitecan com From: ./gyazo-1.0.0/lib/gyazo/client.rb If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and #{tmpfile} using shell meta characters like ; and sending an escaped \". 0through the #{imagefile} name if the raw option is not set. Also file names are time based and predictable leading to file clobbering vulnerabilities as the running process username. 57 unless opts[:raw] 58 tmpfile = "/tmp/gyazo_upload_#{Time.now.to_i}_#{Time.now.usec}.png" 59 if File.exist? imagefile 60 system "sips -s format png \"#{imagefile}\" --out \"#{tmpfile}\" > /dev/null" 61 end 62 end Advisory: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Current thread:
- Vulnerability Report for Ruby Gem gyazo-1.0.0 Larry W. Cashdollar (Jul 07)