Sup is a mail client. joernchen of Phenoelit discovered a command injection flaw in the way Sup handled attachment filenames. If a user opened a malicious attachment in Sup, it would lead to arbitrary command execution. This issue has been resolved in upstream versions 0.13.2.1 and 0.14.1.1. References: http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728232 0.13.2.1 fix: https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785 0.14.1.1 fix: https://github.com/sup-heliotrope/sup/commit/a5acc24937320456e244699b8551a9164641f89b
Created rubygem-sup tracking bugs for this issue: Affects: fedora-all [bug 1024648]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.