community/pipermail-archives/sup-devel/2013-10.txt

community/pipermail-archives/sup-devel/2013-10.txt (4087B) - raw
      1 From eg@gaute.vetsj.com  Tue Oct 29 10:54:58 2013
      2 From: eg@gaute.vetsj.com (Gaute Hope)
      3 Date: Tue, 29 Oct 2013 11:54:58 +0100
      4 Subject: [sup-devel] Security advisory, releases 0.13.2.1 and 0.14.1.1
      5 Message-ID: <1383043976-sup-2451@qwerzila>
      6 
      7 Greetings,
      8 
      9 Security advisory (#SBU1) for Sup
     10 
     11 We have been notified of an potential exploit in the somewhat careless
     12 way Sup treats attachment metadata in received e-mails. The issues
     13 should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
     14 incorporates these fixes. Please upgrade immediately and also ensure
     15 that your mime-decode or mime-view hooks are secure [0], [1].
     16 
     17 This is specifically related to using quotes (',") around filename or
     18 content_type which is already escaped using Ruby Shellwords.escape -
     19 this means that the string (content_type, filename) is intended to be
     20 used _without_ any further quotes. Please make sure that if you use
     21 .mailcap (non OSX systems), you do not quote the string.
     22 
     23 Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
     24 discovered and suggested fixes for these issues.
     25 
     26 [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
     27 [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
     28 
     29 You can use 'gem' to upgrade or install sup. Please report any issues
     30 to: https://github.com/sup-heliotrope/sup/issues
     31 
     32 Regards, Gaute
     33 
     34 -------------- next part --------------
     35 A non-text attachment was scrubbed...
     36 Name: signature.asc
     37 Type: application/pgp-signature
     38 Size: 836 bytes
     39 Desc: not available
     40 URL: <http://rubyforge.org/pipermail/sup-devel/attachments/20131029/fb6f449a/attachment.bin>
     41 
     42 From eg@gaute.vetsj.com  Wed Oct 30 08:38:04 2013
     43 From: eg@gaute.vetsj.com (Gaute Hope)
     44 Date: Wed, 30 Oct 2013 09:38:04 +0100
     45 Subject: [sup-devel] Security advisory, releases 0.13.2.1 and 0.14.1.1
     46 In-Reply-To: <1383043976-sup-2451@qwerzila>
     47 References: <1383043976-sup-2451@qwerzila>
     48 Message-ID: <1383122092-sup-2694@qwerzila>
     49 
     50 Excerpts from Gaute Hope's message of 2013-10-29 11:54:58 +0100:
     51 > Greetings,
     52 > 
     53 > Security advisory (#SBU1) for Sup
     54 > 
     55 > We have been notified of an potential exploit in the somewhat careless
     56 > way Sup treats attachment metadata in received e-mails. The issues
     57 > should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
     58 > incorporates these fixes. Please upgrade immediately and also ensure
     59 > that your mime-decode or mime-view hooks are secure [0], [1].
     60 > 
     61 > This is specifically related to using quotes (',") around filename or
     62 > content_type which is already escaped using Ruby Shellwords.escape -
     63 > this means that the string (content_type, filename) is intended to be
     64 > used _without_ any further quotes. Please make sure that if you use
     65 > .mailcap (non OSX systems), you do not quote the string.
     66 > 
     67 > Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
     68 > discovered and suggested fixes for these issues.
     69 > 
     70 > [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
     71 > [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
     72 > 
     73 > You can use 'gem' to upgrade or install sup. Please report any issues
     74 > to: https://github.com/sup-heliotrope/sup/issues
     75 > 
     76 > Regards, Gaute
     77 
     78 For those interested; joernchens report at full-disclosure:
     79 
     80 * http://seclists.org/fulldisclosure/2013/Oct/272
     81 * http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt (attached)
     82 
     83 - gaute
     84 
     85 -------------- next part --------------
     86 An embedded and charset-unspecified text was scrubbed...
     87 Name: whatsup.txt
     88 URL: <http://rubyforge.org/pipermail/sup-devel/attachments/20131030/358efacd/attachment.txt>
     89 
     90 From matthieu.rakotojaona@gmail.com  Wed Oct 30 13:51:03 2013
     91 From: matthieu.rakotojaona@gmail.com (rara7020 .)
     92 Date: Wed, 30 Oct 2013 14:51:03 +0100
     93 Subject: [sup-devel] Security advisory, releases 0.13.2.1 and 0.14.1.1
     94 In-Reply-To: <1383122092-sup-2694@qwerzila>
     95 References: <1383043976-sup-2451@qwerzila> <1383122092-sup-2694@qwerzila>
     96 Message-ID: <CAMiZLn32Eg9G4Mt=_qZ4m_r0hctx-+HxdJvhKFuatytZ7iqWGg@mail.gmail.com>
     97 
     98 Hello,
     99 
    100 Nice catch. Thank you for your management of this issue.
    101 
    102 
    103 -- 
    104 Matthieu RAKOTOJAONA
    105
sup-website.git
