Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489134 (CVE-2013-4457) - <dev-ruby/cocaine-0.5.3: Recursive Interpolation Vulnerability in Cocaine rubygem (CVE-2013-4457)
Summary: <dev-ruby/cocaine-0.5.3: Recursive Interpolation Vulnerability in Cocaine rub...
Status: RESOLVED FIXED
Alias: CVE-2013-4457
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/157
Whiteboard: ~4[noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-23 12:55 UTC by Mikle Kolyada (RETIRED)
Modified: 2013-11-05 02:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-23 12:55:27 UTC
from ${URL}:

Recursive Interpolation Vulnerability in Cocaine rubygem

There is a vulnerability interpolating variabled recursively in Cocaine. This vulnerability has been assigned the CVE 
identifier CVE-2013-4457

Versions Affected:  0.4.x, 0.5.1, 0.5.2
Not affected:       0.3.x
Fixed Versions:     0.5.3

Impact
------

Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2, an attacker may be able to inject hostile 
commands into a command line via a crafted hash object which are not properly escaped.

The impact is lessened on Ruby version 1.8.* because hashed are not ordered by default, and so an attacker must rely on 
luck for the attack to work.

An attack of this sort cannot take place if there is only one value being interpolated into the command line.

Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of the 2.7 branch of 
Paperclip will not need to upgrade as the version of Cocaine it uses is not vulnerable to this attack.

Releases
--------
Version 0.5.3 fixes the problem involved and is available at rubygems.org

Credits
-------

Thanks to Holger Just for reporting this! 

--
Jon Yurek
http://thoughtbot.com
Comment 1 Hans de Graaff gentoo-dev Security 2013-10-23 17:40:47 UTC
cocaine 0.5.3 is now available in the tree. Older vulnerable versions have been removed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:06:23 UTC
CVE-2013-4457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4457):
  The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent
  attackers to execute arbitrary commands via a crafted has object, related to
  recursive variable interpolation.