Re: Local privileges escalation in rubygem open-uri-cached

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> open-uri-cached, a rubygem that will cache downloaded data when using
> open-uri, is susceptible to a local attack

It appears that the critical issue you've identified is execution of
code found in an untrusted location under /tmp. Use CVE-2015-3649.

In most cases, this specific class of /tmp misuse issues is unrelated
to Symlink Following. However, when such an issue exists, it is
conceivable that a Symlink Following vulnerability also exists, could
be fixed independently, and would be of interest to an attacker who
has a goal of overwriting a file rather than directly executing code.
The MITRE CVE team has not done any original research to check for a
Symlink Following vulnerability. If a Symlink Following vulnerability
were to exist, it would not be within the scope of CVE-2015-3649.

Also, the message refers to "usage of YAML in a insecure way." We have
not done any original research to determine whether, in a scenario
where the "untrusted location under /tmp" were no longer used, a
YAML-related vulnerability would still be exploitable. If an
independent "YAML misuse" vulnerability were to exist, it would not be
within the scope of CVE-2015-3649.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVSjYYAAoJEKllVAevmvmsBc0H/1rb5MtLd0UXcNc1Ez6dL3dC
tLUB6CrujIs3yp5ynaNsg6b2cmBoF6GxGRTB4ea4Lg9n4Bv/Ovr6u1aRhtx1gz1f
XtlPnlO4nOzC1Kh9aOa33SvxiRqUw+Ch7G4Vi9tAHYxaxBFH9DGhEvYCC3KWQ4Za
dSMirU3CfkNIywwp3xzAAltXy/tg4VXq4tM0x6j9KK2URhaPJuNVcZDsp12OSpDO
umhE3JJY0FL5eY1QD6YjbyrZbDe7HxjxjhpdpPV8Jh1qcdsttiY1vYq/CQWSwmDu
v/4GfZjw7pR3Bh0uBfVgZ2CmmnWNFCgX2ECWH8D6Nyfy2Im5vG16eFE45ANtRkY=
=NJDF
-----END PGP SIGNATURE-----