Two flaws were corrected in rubygem-mail version 2.4.4: A file system traversal in file_delivery method [1]. Arbitrary command execution when using exim or sendmail from the commandline [2],[3]. [1] https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f [2] https://github.com/mikel/mail/commit/36b7fa23d38cb59dd79b7efa258ef0e7ddab5a11 [3] https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2
Created rubygem-mail tracking bugs for this issue Affects: fedora-all [bug 816355]
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/04/26/1
rubygem-mail-2.4.4-1.fc15, rubygem-actionmailer-3.0.5-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-mail-2.4.4-1.fc16, rubygem-actionmailer-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-mail-2.4.4-1.fc17, rubygem-actionmailer-3.0.11-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html
Moving this to CVE-2012-2140 only Bug, created CVE-2012-2139 Bz entry separately.
This bug was split because of the different impact of the two issues. CVE-2012-2140 continues to be tracked via this bug, while CVE-2012-2139 got a separate bug 891762.