Excerpts from Gaute Hope's message of 2013-10-29 11:54:58 +0100:
> Greetings,
> 
> Security advisory (#SBU1) for Sup
> 
> We have been notified of an potential exploit in the somewhat careless
> way Sup treats attachment metadata in received e-mails. The issues
> should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
> incorporates these fixes. Please upgrade immediately and also ensure
> that your mime-decode or mime-view hooks are secure [0], [1].
> 
> This is specifically related to using quotes (',") around filename or
> content_type which is already escaped using Ruby Shellwords.escape -
> this means that the string (content_type, filename) is intended to be
> used _without_ any further quotes. Please make sure that if you use
> .mailcap (non OSX systems), you do not quote the string.
> 
> Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
> discovered and suggested fixes for these issues.
> 
> [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
> [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
> 
> You can use 'gem' to upgrade or install sup. Please report any issues
> to: https://github.com/sup-heliotrope/sup/issues
> 
> Regards, Gaute

For those interested; joernchens report at full-disclosure:

* http://seclists.org/fulldisclosure/2013/Oct/272
* http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt (attached)

- gaute