Skip to content

CVE-2015-9097: prevent SMTP command injection via To/From addresses#1097

Closed
jeremy wants to merge 1 commit into
mikel:masterfrom
jeremy:security/smtp-injection
Closed

CVE-2015-9097: prevent SMTP command injection via To/From addresses#1097
jeremy wants to merge 1 commit into
mikel:masterfrom
jeremy:security/smtp-injection

Conversation

@jeremy

@jeremy jeremy commented May 9, 2017
edited
Loading

Copy link
Copy Markdown
Collaborator

Validate addresses passed as SMTP command arguments to prevent
injection of other SMTP commands. Disallow line breaks and very
long addresses which may cause overflows on some old SMTP servers.

Ruby 2.4 Net::SMTP already disallows addresses that contain newlines.
Enforce this validation in Mail to cover older Ruby versions and
other SMTP implementations that don't validate input.

SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf
Ruby security report: https://hackerone.com/reports/137631
OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677

@jeremy jeremy added this to the 2.7.0 milestone May 9, 2017
@jeremy jeremy force-pushed the security/smtp-injection branch from 7c2bc76 to 6671495 Compare May 9, 2017 03:47
@jeremy
SMTP security: prevent command injection via To/From addresses
31c6ca4 
Validate addresses passed as SMTP command arguments to prevent
injection of other SMTP commands. Disallow line breaks and very
long addresses which may cause overflows on some old SMTP servers.

Ruby 2.4 Net::SMTP already disallows addresses that contain newlines.
Enforce this validation in Mail to cover older Ruby versions and
other SMTP implementations that don't validate input.

SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf
Ruby security report: https://hackerone.com/reports/137631
OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677
@jeremy jeremy force-pushed the security/smtp-injection branch from 6671495 to 31c6ca4 Compare May 9, 2017 04:00
This was referenced May 9, 2017
Closed
Closed
@jeremy jeremy closed this in cfff6c8 May 9, 2017
@jeremy jeremy deleted the security/smtp-injection branch May 9, 2017 04:25
This was referenced May 9, 2017
Closed
Closed
buren added a commit to justarrived/just_match_api that referenced this pull request May 10, 2017
@buren
Update gems: mail (fixed Security advisory: mikel/mail#1097)
11bf980
@jordan-brough

jordan-brough commented May 11, 2017

Copy link
Copy Markdown

@jeremy when might we expect an official 2.6.6 release for this? Currently I only see a 2.6.6.rc1 on rubygems.

@jeremy

jeremy commented May 15, 2017

Copy link
Copy Markdown
Collaborator Author

@jordan-brough Expect an official 2.6.6 after RC1 has had a fair number of installs to shake out regressions. Note than 2.6.x is (coincidentally) not vulnerable to this issue, thanks to #505 stripping CRLF from header values.

amatriain added a commit to amatriain/feedbunch that referenced this pull request May 15, 2017
@amatriain
Pin mail gem to version 2.6.6.rc1
0471094 
This fixes a vulnerability that allows users to send spam from any form
that allows email input (e.g. signup).

For more about the vulnerability see:

mikel/mail#1097

When implicit dependency resolution in Gemfile.lock resolves to a
released mail version that includes the fix, the explicit dependency in
Gemfile will be removed.
@david-a-wheeler david-a-wheeler mentioned this pull request May 30, 2017
Closed
drewda added a commit to transitland/transitland-datastore that referenced this pull request Jun 1, 2017
@drewda
updating gems & pegging mail gem to address security vunerability
b7cd327 
see mikel/mail#1097

TODO: remove once mikel/mail#1116 is addressed
@drewda drewda mentioned this pull request Jun 1, 2017
Merged
@stvnrlly stvnrlly mentioned this pull request Jun 1, 2017
Open
eviltrout added a commit to discourse/discourse that referenced this pull request Jun 1, 2017
@eviltrout
SECURITY: Vunerability in mail gem
19d5eb9 
(see mikel/mail#1097)
eviltrout added a commit to discourse/discourse that referenced this pull request Jun 1, 2017
@eviltrout
SECURITY: Vunerability in mail gem
0eaa6de 
(see mikel/mail#1097)
eviltrout added a commit to discourse/discourse that referenced this pull request Jun 1, 2017
@eviltrout
SECURITY: Vunerability in mail gem
d46f98a 
(see mikel/mail#1097)
@varyonic

varyonic commented Jun 8, 2017
edited
Loading

Copy link
Copy Markdown

One month and >10,000 downloads for 2.6.6.rc1.

@jeremy

jeremy commented Jun 9, 2017
edited
Loading

Copy link
Copy Markdown
Collaborator Author

Mail 2.5.5 (tag) and 2.6.6 (tag) are released.

ylansegal added a commit to ylansegal/tokenator that referenced this pull request Jun 9, 2017
@ylansegal
Upgrade mail gem to address security vulnerability...
f690c40 
mikel/mail#1097
@cjlarose cjlarose mentioned this pull request Jun 10, 2017
Merged
@ulferts ulferts mentioned this pull request Jun 13, 2017
Merged
@buzztaiki buzztaiki mentioned this pull request Jun 17, 2017
Closed
@artur-intech artur-intech mentioned this pull request Sep 27, 2017
Merged
@jzruscio jzruscio mentioned this pull request Oct 16, 2017
Closed
@dependabot dependabot Bot mentioned this pull request Mar 12, 2021
Open
@dependabot dependabot Bot mentioned this pull request Mar 15, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jeremy @jordan-brough @varyonic