[SECURITY] Vulnerability in Sendmail Delivery Agent code in Mail 2.2.14

291 views
Skip to first unread message

Mikel Lindsaar

unread,
Jan 26, 2011, 12:02:11 AM1/26/11
to mail...@googlegroups.com
There is a vulnerability in the sendmail delivery agent of the
Mail gem that could allow an attacker to pass arbitrary commands
to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected: Any application not using sendmail delivery
Fixed Versions: 2.2.15 or later


Impact
------------------------------------------------------------------
An attacker could craft an email address used to send out an email
and inject code that would be executed by the system shell.

All users who are using sendmail to deliver their system email and
running a 2.2.14 or earlier release of Mail should upgrade
immediately.


Releases
------------------------------------------------------------------
Mail version 2.2.15 has been released which fixes this problem and
is available on RubyGems.org.


Steps to Protect your application.
------------------------------------------------------------------
Update your Gemfile and include:

gem "mail", "~> 2.2.15"

and run

$ bundle install

Or for non bundler systems, install the mail gem 2.2.15 with:

gem install mail


Workarounds
------------------------------------------------------------------
Changing your delivery method to use SMTP or File instead of
Sendmail will also protect you from the potential exploit.

In Mail, instructions on how to use the SMTP or File delivery
methods can be found at:

http://rdoc.info/github/mikel/mail/master/Mail/SMTP
http://rdoc.info/github/mikel/mail/master/Mail/FileDelivery

For Ruby on Rails users, delivery method settings can be found at:

http://guides.rubyonrails.org/action_mailer_basics.html


Patch
------------------------------------------------------------------
A patch can be found at the following URL for the Mail Sendmail
class for those who are running an earlier version of Mail and
can not update to the latest version.

https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch


Credits
------------------------------------------------------------------
Thanks to Andy Lindeman for initially reporting the vulnerability
and providing a patch fix and to Steven Lorek for also reporting
the issue.


Regards,


Mikel Lindsaar
http://rubyx.com/
http://lindsaar.net/


Reply all
Reply to author
Forward
0 new messages