Bug 1024645 - (CVE-2013-4478) CVE-2013-4478 rubygem-sup: command injection flaw in attachment filename handling
CVE-2013-4478 rubygem-sup: command injection flaw in attachment filename hand...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20131029,repo...
: Security
Depends On: 1024648
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-30 03:14 EDT by Murray McAllister
Modified: 2015-01-05 12:00 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2013-10-30 03:14:42 EDT
Sup is a mail client. joernchen of Phenoelit discovered a command injection flaw in the way Sup handled attachment filenames. If a user opened a malicious attachment in Sup, it would lead to arbitrary command execution. This issue has been resolved in upstream versions 0.13.2.1 and 0.14.1.1.


References:

http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728232
0.13.2.1 fix: https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785
0.14.1.1 fix: https://github.com/sup-heliotrope/sup/commit/a5acc24937320456e244699b8551a9164641f89b
Comment 1 Murray McAllister 2013-10-30 03:19:07 EDT
Created rubygem-sup tracking bugs for this issue:

Affects: fedora-all [bug 1024648]

Note You need to log in before you can comment on or make changes to this bug.