'Re: [oss-security] CVE Request: sup MUA Command Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: sup MUA Command Injection
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-10-30 4:56:26
Message-ID: 5270917A.4070203 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2013 08:26 PM, Murray McAllister wrote:
> On 10/30/2013 07:44 AM, Kurt Seifried wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 10/29/2013 01:30 PM, Salvatore Bonaccorso wrote:
>>> Hi,
>>> 
>>> On full-disclosure list there was reported a command injection 
>>> vulnerability in 'sup', a console-based email client.
>>> 
>>> [0] 
>>> http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
>>>
>>> 
[1] http://seclists.org/fulldisclosure/2013/Oct/272
>>> 
>>> For reference quoting the upstream announce:
>>> 
>>> ----cut---------cut---------cut---------cut---------cut---------cut-----
>>>
>>>
>>
>>> 
Greetings,
>>> 
>>> Security advisory (#SBU1) for Sup
>>> 
>>> We have been notified of an potential exploit in the somewhat 
>>> careless way Sup treats attachment metadata in received
>>> e-mails. The issues should now be fixed and I have released Sup
>>> 0.13.2.1 and 0.14.1.1 which incorporates these fixes. Please
>>> upgrade immediately and also ensure that your mime-decode or
>>> mime-view hooks are secure [0], [1].
>>> 
>>> This is specifically related to using quotes (',") around
>>> filename or content_type which is already escaped using Ruby 
>>> Shellwords.escape - this means that the string (content_type, 
>>> filename) is intended to be used _without_ any further quotes. 
>>> Please make sure that if you use .mailcap (non OSX systems),
>>> you do not quote the string.
>>> 
>>> Credit goes to: joernchen of Phenoelit (http://phenoelit.de)
>>> who discovered and suggested fixes for these issues.
>>> 
>>> [0]
>>> https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments 
>>> [1]
>>> https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
>>> 
>>> You can use 'gem' to upgrade or install sup. Please report any 
>>> issues to: https://github.com/sup-heliotrope/sup/issues
>>> 
>>> Regards, Gaute 
>>> ----cut---------cut---------cut---------cut---------cut---------cut-----
>>>
>>>
>>> 
Upstream fixed (as mentioned in announce) the issue in 0.13.2.1
>>> and 0.14.1.1. Commits:
>>> 
>>> [2] 
>>> https://github.com/sup-heliotrope/sup/compare/release-0.13.2...release-0.13.2.1
>>>
>>>
>>>
>>
>>> 
[3]
>> https://github.com/sup-heliotrope/sup/compare/release-0.14.1...release-0.14.1.1
>>
>>>
>>>
>> 
Could a CVE be assigned for this issue?
>>> 
>>> Regards, Salvatore
>>> 
>> 
>> Please use CVE-2013-4478 for this issue.
> 
> To confirm, is this CVE for both the content_type issue and the
> filename issue?
> 
> Thanks,
> 
> -- Murray McAllister / Red Hat Security Response Team

CVE-2013-4478 is for the issue specifically covered in
http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt

which is
https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785
(security: shellwords escape attachment file names to prevent remote
code execution).

I missed that they fixed a second issue:

https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42
(security: prevent remote command injection in content_type)

Pleas use CVE-2013-4479 for this

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJScJF5AAoJEBYNRVNeJnmT57MQANYex5v0uoNLQ6LfkHM16hnH
quIf0urWlIC/CwY9KfkON8rh3seP1J9H+0iDcdOIzxCvDqFUXMTY4gJU5G1j1DDh
SDoXoMW94kzW8xWb8tTJWqqfzSXb/teOUtlqPdcbzper15OjU6R6Ga9wJ6zzuQQZ
w8dVH27oskgqmEplu/2vT+uop4JIv0fR0um6QiWdKHEpfGsAVjrm81OhEW519cvn
H4FNSzgNl4Q+KuF3V1cZBsFDT/bCmm+MrMMYccAVn+anGV62H4Az8wM7aaDU4aTZ
/mhiPgoNxtRbE+NzeAGDbNw9gsNtOzSRI+/t/rd605z3hhwwfNlF0MCyU1wiGhjF
K2KjKnil4VlyUewjxNhLJRVzJ6wrJtKOrQi/od6eBN6Hv3AJhrK7RqmnzxBWlRQ1
1/JBRL5qJiYquesgMwd4GPrhpar04p38+FMYnWbCcNkuAlqoNiivI8yt2knvLRKr
mDjJAJY7FlxWd7Flz0/6GfPj3U0lxRn0vEFEPmy+BhnYZY5qnoP/77Kv1tuyWcbj
/gzhrGTtkrNMaBEvYJ3UQtKCYlCRpQCvnWnQ9X/aG3aEGUPfxsVCWb42vht66AWg
03n0GVAjtf7mWgFJ9KVVEgRf0oId6AJcSAGMSmnPqsrT55d7x84tTycqR0SRZ0Fo
jWuwNu4O8S4oj9Z350z/
=Zaxg
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic