Bug 1461846 (CVE-2015-9096)

Summary: CVE-2015-9096 ruby: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dedgar, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jgoulding, jhardy, joelsmith, jorton, jprause, kseifried, mmorsi, mtasaka, obarenbo, roliveri, ruby-maint, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: ruby 2.4.0 Doc Type: If docs needed, set a value
Doc Text:
A SMTP command injection flaw was found in the way Ruby's Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-08 07:36:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1461848, 1461849    
Bug Blocks: 1461852    

Description Adam Mariš 2017-06-15 12:43:11 UTC
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

Upstream patch:


Comment 1 Adam Mariš 2017-06-15 12:46:50 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1461848]

Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1461849]