Release date:
Updated on: 2013-05-19
Affected Systems:
Rubygems cremefraiche 0.6
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2013-2090
Creme Fraiche gem for Ruby convertible email to PDF.
Creme Fraiche gem for Ruby 0.6.0 function "set_meta_data ()" function (lib/cremefraiche. (rb) the file name of the email attachment is not effectively filtered. If the file name of the malicious email attachment contains shell metacharacters, the command is injected into the shell.
<* Source: Larry W. Cashdollar (lwc@vapid.dhs.org)
Link: http://secunia.com/advisories/53391/
Http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Rubygems
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://rubygems.org/gems/cremefraiche