Bug 847188 (CVE-2013-4457) - VUL-0: CVE-2013-4457: rubygem-cocaine: command injection via variable interpolation
Summary: VUL-0: CVE-2013-4457: rubygem-cocaine: command injection via variable interpo...
Status: RESOLVED FIXED
Alias: CVE-2013-4457
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2013-10-30
Assignee: Josef Reidinger
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:54836:important CVSSv2:...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-23 07:39 UTC by Victor Pereira
Modified: 2016-10-21 22:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-10-23 07:39:08 UTC 
CVE-2013-4457

Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2, an attacker may be able to inject
hostile commands into a command line via a crafted hash object which are not properly escaped.

The impact is lessened on Ruby version 1.8.* because hashed are not ordered by default, and so an attacker
must rely on luck for the attack to work.

An attack of this sort cannot take place if there is only one value being interpolated into the command line.

Users of the Paperclip gem are encouraged to upgrade to the latest version of Cocaine. Users of the 2.7
branch of Paperclip will not need to upgrade as the version of Cocaine it uses is not vulnerable to this attack.


References:
http://comments.gmane.org/gmane.comp.security.oss.general/11356
https://github.com/thoughtbot/cocaine/commit/5ede63e2d0bbbee84e2a1346122560bbde49a555
Comment 1 Swamp Workflow Management 2013-10-23 11:57:05 UTC 
The SWAMPID for this issue is 54836.
This issue was rated as important.
Please submit fixed packages until 2013-10-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Ruediger Oertel 2013-10-23 12:31:08 UTC 
slms package, I guess I was only maintainer by accident ...
Comment 3 Josef Reidinger 2013-10-23 12:52:03 UTC 
Victor - we use cocaine 0.3.2 so from report it looks like we are not affected, right? Because we use it really only as dependency of paperclip at old version and on ruby 1.8, I think there is no need to take action.
Comment 4 Swamp Workflow Management 2013-10-23 22:00:28 UTC 
bugbot adjusting priority
Comment 5 Victor Pereira 2013-10-29 10:06:10 UTC 
>The impact is lessened on Ruby version 1.8.* because hashed are not ordered by
>default, and so an attacker
>must rely on luck for the attack to work.

What I could understand from this paragraph is that the problem is harder to exploit on 1.8 because hashes are not ordered. It means ruby 1.9 and 2.0 are easier to be exploited. 

and checking the paperclip, last but one version (v3.5.1), it was using a vulnerable version from cocaine (0.5.0) https://github.com/thoughtbot/paperclip/blob/203415c180f3474b49b95da563ae0272c0fd3b3f/paperclip.gemspec
Comment 6 Josef Reidinger 2013-11-08 17:02:48 UTC 
Victor - as we talk on IRC SLE11 is not affected as we use much older cocaine. In opensuse dlre now contain 0.5.3 which should contain fix. paperclip specify that it need ~> 0.5.0 which means use 0.5.X so if we distribute 0.5.3 with fix we are OK. Are you OK if I close this bug?
Older version of opensuse is not affected as it lives only in dlre and it is distributed only via OBS.
Comment 7 Victor Pereira 2013-12-18 16:03:18 UTC 
yes, from my side it is ok.
Comment 8 Josef Reidinger 2013-12-18 16:16:23 UTC 
OK, so lets close it.
Thanks for report