=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN484
_____________________________________________________________________

DATE                : 24/10/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Cocaine rubygem versions 0.4.x,
                          0.5.x, prior to 0.5.3.

======================================================================
http://www.openwall.com/lists/oss-security/2013/10/22/10
______________________________________________________________________

From: Jon Yurek <jyurek@...ughtbot.com>
To: oss-security@...ts.openwall.com
Subject: Recursive Interpolation Vulnerability in Cocaine rubygem
(CVE-2013-4457)

Recursive Interpolation Vulnerability in Cocaine rubygem

There is a vulnerability interpolating variabled recursively in Cocaine.
This vulnerability has been assigned the CVE identifier CVE-2013-4457

Versions Affected:  0.4.x, 0.5.1, 0.5.2
Not affected:       0.3.x
Fixed Versions:     0.5.3

Impact
------

Due to the method of variable interpolation in Cocaine 0.4.0 to 0.5.2,
an attacker may be able to inject hostile commands into a command line
via a crafted hash object which are not properly escaped.

The impact is lessened on Ruby version 1.8.* because hashed are not
ordered by default, and so an attacker must rely on luck for the attack
to work.

An attack of this sort cannot take place if there is only one value
being interpolated into the command line.

Users of the Paperclip gem are encouraged to upgrade to the latest
version of Cocaine. Users of the 2.7 branch of Paperclip will not need
to upgrade as the version of Cocaine it uses is not vulnerable to this
attack.

Releases
--------
Version 0.5.3 fixes the problem involved and is available at rubygems.org

Credits
-------

Thanks to Holger Just for reporting this!

--
Jon Yurek

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================