From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost ([128.39.46.106]) by mx.google.com with ESMTPSA id vo1sm16146006lbb.1.2013.10.29.03.56.10 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Oct 2013 03:56:11 -0700 (PDT) From: Gaute Hope To: sup-talk , sup-devel Subject: Security advisory, releases 0.13.2.1 and 0.14.1.1 Date: Tue, 29 Oct 2013 11:54:58 +0100 Message-Id: <1383043976-sup-2451@qwerzila> User-Agent: Sup/git Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=-1383044099-4035-17713-4962-3-=" --=-1383044099-4035-17713-4962-3-= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Greetings, Security advisory (#SBU1) for Sup We have been notified of an potential exploit in the somewhat careless way Sup treats attachment metadata in received e-mails. The issues should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which incorporates these fixes. Please upgrade immediately and also ensure that your mime-decode or mime-view hooks are secure [0], [1]. This is specifically related to using quotes (',") around filename or content_type which is already escaped using Ruby Shellwords.escape - this means that the string (content_type, filename) is intended to be used _without_ any further quotes. Please make sure that if you use .mailcap (non OSX systems), you do not quote the string. Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who discovered and suggested fixes for these issues. [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments [1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup You can use 'gem' to upgrade or install sup. Please report any issues to: https://github.com/sup-heliotrope/sup/issues Regards, Gaute --=-1383044099-4035-17713-4962-3-= Content-Disposition: attachment; filename="signature.asc" Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJSb5QCAAoJEJgnp+igdJAj9voP/1UPPaLxZZnU+nbSdRVi7voT T4axAhmWAF58ChQ184zH85RHhtX8OUoORQHbiJeKI8geB2pIM3zaAgfzqvFxOdS5 7Ch9mIGWk1bFiUqdPUZEt7u9r5zzeuQqZAmBkDt57LIlRjWiK2kFGiCpJ5Jv94hv omkQIc0joR4kE7WB2rFCQKyUfbsS/gph0OqEkqH7sX2fc8Cxt2icG6e+5vcPhw0M nyq4uLdLs2kdpVX9T77N4x00eWvhu2pRvk8h2UZpbGq7fnyp8pcfW7FyylrIV246 6gFPlWUKfFp/2IQUBEv8n2IibKjQmelqcg3dHohzaQ2SCezYq7l4keJSVelE7Tqk 81iCo8goyDIdrSaxhdQea5B39NqnrxKZ4IZ3bH1/xIP0E+zuGLy16d5RvRE4W0GW n6qVM8EqGbe5DxNslYPNkEHV3JokvAvMyyY/zKUadnE6awrYC9mjPMabUkymEnGQ fo/4zDmzRW+ifz5i1WH6NhZodWAVNW9Ltoua9Tvd7rTu8DfVYq45x3MzfpmxqJbY rKrkVdRZ7beDuwLMLYHBek+yOrCya48MFJdLgye6VA5MODNdMvcjJMlAfW9070ji TSdu6+YHSGNP47PIhgnylenO52CYkjv6kPPsT/Qc0nT0ZmdGntSuzGd3zjmNaruO Ube+phydzAkc+4wAEjjx =/gWg -----END PGP SIGNATURE----- --=-1383044099-4035-17713-4962-3-=--