[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Remote command execution in Ruby Gem ldoce 0.0.2
From:       Larry Cashdollar <larry0 () me ! com>
Date:       2013-03-31 19:36:43
Message-ID: 13dc1f39c91.2736.e9a71456a41b1faeabc6c13ed23b7beb () me ! com
[Download RAW message or body]

Oh, sorry here it is:

http://rubygems.org/gems/ldoce


Sent with AquaMail for Android
http://www.aqua-mail.com


On March 31, 2013 3:23:00 PM Kurt Seifried <kseifried@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/31/2013 10:11 AM, Larry W. Cashdollar wrote:
> >
> > Remote command execution in Ruby Gem ldoce 0.0.2
> >
> > /Larry W. Cashdollar @_larry0 3/25/2013/
> > ------------------------------------------------------------------------
> >
> >  Ldoce Ruby Gem:
> >
> > Easily interface with the Longman Dictionary of Contemporary
> > English API from Ruby:
> >
> > NB currently mac only as it depends on the afplay command.
> >
> > https://github.com/markburns/ldoce
> >
> > Ldoce passes an mp3 url to commandline for audio output of the
> > pronunciation of a dictonary word:
> >
> > If the URL or filename for the mp3 files contain shell
> > metacharacters code can be executed remotely as the client:
> >
> > [./ldoce-0.0.2/lib/ldoce/word.rb]
> >
> > if mp3? unless File.exists? filename command = "curl #{mp3_url}
> > -silent > {filename}" `{command}` end `afplay #{filename}` end
> >
>
> Just one note, can you include the link (if available) to the gem on
> the rubygems.org site (which where most people seem to get their gems).
>
> Please use CVE-2013-1911 for this issue.
>
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJRWI0UAAoJEBYNRVNeJnmTrHMP/RDKi6LHT+t0viJZy2zsqftQ
> W87AvNUOpUGDx1ip78No/ymXwHgWiFLoH+n6I4GpPZ4CuTfUlWos9kRJ0GpWFPZi
> nwMsJvgMh7ZEtHUHR+aVssvbwTTU5P2bKkCM5ishVTwKYtFTHQECHzSd44OE5/D5
> zqQN+mYTIh+tW71LIG0NVwUJuazgi/Z0rA9Bv03X31Vja7G/83/R44IrTGS6eXG+
> 0Ymmfpmfiy+2cdTjnVPKq+zVTVwLyMoPDTouzP3wbsERxrMXEQEqSlo4JtDZQUcC
> cjrIk9mOp4tJ2spS2ez1duIAJGKDKUNlL+44GKTOCjAEZmGorDoDo+Iv/XsPcEXS
> azxhlx3ikJjMByKcQfe9c9aVJJj6vHOzUNbTkFyC4bDWT3CbDLmuZtN+WHtfNpE8
> xUOGxlvWLDwtunFRVVrGinZfg7QetcWyI7KBr6QGLMyRPNshOhi4iKABtmpF5VxP
> M7Qo8t9v0V3E3fhjo053E6g4zG33JidBPP8B4WJ3dX6yJWYb1GAB+EHUTQh48Yub
> PBJgqgeuQdTJu0JLkbKj0YTyrQRdg8Jo8pCDdhodeModsC+iHY/brvKjYVjoZVxH
> IKf2ga6p6apAL2ZCKGzO6dfpXF02SxaTzaaEuIJOx5KDMws8BfxJ+mPFQ6AU1DC7
> dOZVOFV7G9DFkA2ER8gy
> =9PGv
> -----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]