Vulnerability in the Mail gem affecting Rails 3.0.x applications - Ruby on Rails: Security

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

Ruby on Rails: Security

Home

Discussions

About this group

Join this group

Vulnerability in the Mail gem affecting Rails 3.0.x applications

Options

1 message - Collapse all

Michael Koziarski

View profile

More options Jan 26 2011, 12:10 am

From: Michael Koziarski <mich...@koziarski.com>

Date: Wed, 26 Jan 2011 18:10:24 +1300

Local: Wed, Jan 26 2011 12:10 am

Subject: Vulnerability in the Mail gem affecting Rails 3.0.x applications

Print | Individual message | Show original | Report this message | Find messages by this author

Mikel Lindsaar has released a new version of the mail gem which
addresses a potential vulnerability affecting the sendmail delivery
method. As this affects rails users I'm cross posting the
announcement here. For more information see the original
announcement:

http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd0...

The original report follows:

There is a vulnerability in the sendmail delivery agent of the
Mail gem that could allow an attacker to pass arbitrary commands
to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected: Any application not using sendmail delivery
Fixed Versions: 2.2.15 or later

Impact
------------------------------------------------------------------
An attacker could craft an email address used to send out an email
and inject code that would be executed by the system shell.
All users who are using sendmail to deliver their system email and
running a 2.2.14 or earlier release of Mail should upgrade
immediately.

Releases
------------------------------------------------------------------
Mail version 2.2.15 has been released which fixes this problem and
is available on RubyGems.org.

Steps to Protect your application.
------------------------------------------------------------------
Update your Gemfile and include:
gem "mail", "~> 2.2.15"

and run
$ bundle install

Or for non bundler systems, install the mail gem 2.2.15 with:
gem install mail

Workarounds
------------------------------------------------------------------
Changing your delivery method to use SMTP or File instead of
Sendmail will also protect you from the potential exploit.
In Mail, instructions on how to use the SMTP or File delivery
methods can be found at:
http://rdoc.info/github/mikel/mail/master/Mail/SMTP
http://rdoc.info/github/mikel/mail/master/Mail/FileDelivery

For Ruby on Rails users, delivery method settings can be found at:
http://guides.rubyonrails.org/action_mailer_basics.html

Patch
------------------------------------------------------------------
A patch can be found at the following URL for the Mail Sendmail
class for those who are running an earlier version of Mail and
can not update to the latest version.
https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch

Credits
------------------------------------------------------------------
Thanks to Andy Lindeman for initially reporting the vulnerability
and providing a patch fix and to Steven Lorek for also reporting
the issue.

--
Cheers

Koz

End of messages

« Back to Discussions

« Newer topic

Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options