[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)
From:       Jon Yurek <jyurek () thoughtbot ! com>
Date:       2013-10-22 20:18:05
Message-ID: 777A8DF3-2A37-46F8-A3B3-91595AC04CEF () thoughtbot ! com
[Download RAW message or body]

Recursive Interpolation Vulnerability in Cocaine rubygem

There is a vulnerability interpolating variabled recursively in Cocaine. This vulnerability has \
been assigned the CVE identifier CVE-2013-4457

Versions Affected:  0.4.x, 0.5.1, 0.5.2
Not affected:       0.3.x
Fixed Versions:     0.5.3

Impact
------

Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2, an attacker may be able \
to inject hostile commands into a command line via a crafted hash object which are not properly \
escaped.

The impact is lessened on Ruby version 1.8.* because hashed are not ordered by default, and so \
an attacker must rely on luck for the attack to work.

An attack of this sort cannot take place if there is only one value being interpolated into the \
command line.

Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of \
the 2.7 branch of Paperclip will not need to upgrade as the version of Cocaine it uses is not \
vulnerable to this attack.

Releases
--------
Version 0.5.3 fixes the problem involved and is available at rubygems.org

Credits
-------

Thanks to Holger Just for reporting this! 

--
Jon Yurek
http://thoughtbot.com=


[prev in list] [next in list] [prev in thread] [next in thread]