Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add advisory for SMTP injection vulnerability in mail <2.6.0 #215
The paper author has informed me "BTW, while investigating the source code of Mail, I came to think the fault might be more on Net::SMTP's side. It is difficult to say who is responsible for it, Net::SMTP, Mail or application developers (library users) though."
'mail' guys... thoughts on this? In any case, should add a test to 'mail' to ensure this doesn't pop up again. :)
The mail 2.6.x fix is a coincidence. Even if it was intentional, it wouldn't be a sufficient fix for the underlying SMTP injection vuln. The referenced paper discusses this a bit: crafting otherwise-legal FWS to inject & exploit specific MTAs.
Furthermore, the fix is a side effect of incorrect behavior. Fixing that behavior in the mail lib would inadvertently re-expose the underlying SMTPi vuln that had been coincidentally masked. No good.
To rule out this risk, we need input validation in stdlib net/smtp.
Is there a bug filed with ruby upstream to add that validation so that this
On Tuesday, April 5, 2016, Jeremy Daer email@example.com wrote:
Do we need to update anything re: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mail/OSVDB-131677.yml ? I'm thinking re: the patched or fixed versions.
(Aside from adding better context of course. We could add links, and or move off OSVDB if there's a CVE for it…)
Could just bump
Not sure how this best maps to advisories.