* Security advisory, releases 0.13.2.1 and 0.14.1.1
@ 2013-10-29 10:54 Gaute Hope
2013-10-30 8:38 ` Gaute Hope
0 siblings, 1 reply; 3+ messages in thread
From: Gaute Hope @ 2013-10-29 10:54 UTC (permalink / raw)
To: sup-talk, sup-devel
[-- Attachment #1: Type: text/plain, Size: 1137 bytes --]
Greetings,
Security advisory (#SBU1) for Sup
We have been notified of an potential exploit in the somewhat careless
way Sup treats attachment metadata in received e-mails. The issues
should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
incorporates these fixes. Please upgrade immediately and also ensure
that your mime-decode or mime-view hooks are secure [0], [1].
This is specifically related to using quotes (',") around filename or
content_type which is already escaped using Ruby Shellwords.escape -
this means that the string (content_type, filename) is intended to be
used _without_ any further quotes. Please make sure that if you use
.mailcap (non OSX systems), you do not quote the string.
Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
discovered and suggested fixes for these issues.
[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
You can use 'gem' to upgrade or install sup. Please report any issues
to: https://github.com/sup-heliotrope/sup/issues
Regards, Gaute
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security advisory, releases 0.13.2.1 and 0.14.1.1
2013-10-29 10:54 Security advisory, releases 0.13.2.1 and 0.14.1.1 Gaute Hope
@ 2013-10-30 8:38 ` Gaute Hope
2013-10-30 13:51 ` [sup-devel] " rara7020 .
0 siblings, 1 reply; 3+ messages in thread
From: Gaute Hope @ 2013-10-30 8:38 UTC (permalink / raw)
To: sup-devel
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
Excerpts from Gaute Hope's message of 2013-10-29 11:54:58 +0100:
> Greetings,
>
> Security advisory (#SBU1) for Sup
>
> We have been notified of an potential exploit in the somewhat careless
> way Sup treats attachment metadata in received e-mails. The issues
> should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
> incorporates these fixes. Please upgrade immediately and also ensure
> that your mime-decode or mime-view hooks are secure [0], [1].
>
> This is specifically related to using quotes (',") around filename or
> content_type which is already escaped using Ruby Shellwords.escape -
> this means that the string (content_type, filename) is intended to be
> used _without_ any further quotes. Please make sure that if you use
> .mailcap (non OSX systems), you do not quote the string.
>
> Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
> discovered and suggested fixes for these issues.
>
> [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
> [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
>
> You can use 'gem' to upgrade or install sup. Please report any issues
> to: https://github.com/sup-heliotrope/sup/issues
>
> Regards, Gaute
For those interested; joernchens report at full-disclosure:
* http://seclists.org/fulldisclosure/2013/Oct/272
* http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt (attached)
- gaute
[-- Attachment #2: whatsup.txt --]
[-- Type: text/plain, Size: 1829 bytes --]
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++->
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
sup <= 0.14.1 (on non Darwin systems)
sup <= 0.13.2 (on non Darwin systems)
http://supmua.org
[ Vendor communication ]
2013-10-28 Send vulnerability details to sup maintainer
2013-10-28 Maintainer proposes fix
2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1]
2013-10-29 Release of this advisory
[ Description ]
Observe in sup/lib/sup/message_chunks.rb:
def view_default! path
## please see note in write_to_disk on important usage
## of quotes to avoid remote command injection.
case RbConfig::CONFIG['arch']
when /darwin/
cmd = "open #{path}"
else
cmd = "/usr/bin/run-mailcap --action=view #{ () content_type}:#{path}"
end
debug "running: #{cmd.inspect}"
BufferManager.shell_out(cmd)
$? == 0
end
Here @content_type is attacker controlled and not further
sanitized. By this a forged content type of an email
attachment can trigger a command injection.
[ Example ]
For convenience the email delivering this file serves as an
example. When viewing this attachment in a vulnerable version
of sup the content type being "text/'`id>/tmp/whatsup`'pwn"
will generate a file "whatsup" in the /tmp directory.
[ Solution ]
Upgrade to version 0.14.1.1 or 0.13.2.1
[ References ]
[0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175
[1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
[ end of file ]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [sup-devel] Security advisory, releases 0.13.2.1 and 0.14.1.1
2013-10-30 8:38 ` Gaute Hope
@ 2013-10-30 13:51 ` rara7020 .
0 siblings, 0 replies; 3+ messages in thread
From: rara7020 . @ 2013-10-30 13:51 UTC (permalink / raw)
To: Sup developer discussion
Hello,
Nice catch. Thank you for your management of this issue.
--
Matthieu RAKOTOJAONA
_______________________________________________
Sup-devel mailing list
Sup-devel@rubyforge.org
http://rubyforge.org/mailman/listinfo/sup-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-10-30 14:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-29 10:54 Security advisory, releases 0.13.2.1 and 0.14.1.1 Gaute Hope
2013-10-30 8:38 ` Gaute Hope
2013-10-30 13:51 ` [sup-devel] " rara7020 .
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox