Vulnerability in the Mail gem affecting Rails 3.0.x applications

115 views
Skip to first unread message

Michael Koziarski

unread,
Jan 26, 2011, 12:10:24 AM1/26/11
to rubyonrail...@googlegroups.com
Mikel Lindsaar has released a new version of the mail gem which
addresses a potential vulnerability affecting the sendmail delivery
method. As this affects rails users I'm cross posting the
announcement here. For more information see the original
announcement:

http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1

The original report follows:

There is a vulnerability in the sendmail delivery agent of the
Mail gem that could allow an attacker to pass arbitrary commands
to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected: Any application not using sendmail delivery
Fixed Versions: 2.2.15 or later

Impact
------------------------------------------------------------------
An attacker could craft an email address used to send out an email
and inject code that would be executed by the system shell.
All users who are using sendmail to deliver their system email and
running a 2.2.14 or earlier release of Mail should upgrade
immediately.

Releases
------------------------------------------------------------------
Mail version 2.2.15 has been released which fixes this problem and
is available on RubyGems.org.

Steps to Protect your application.
------------------------------------------------------------------
Update your Gemfile and include:
gem "mail", "~> 2.2.15"

and run
$ bundle install

Or for non bundler systems, install the mail gem 2.2.15 with:
gem install mail

Workarounds
------------------------------------------------------------------
Changing your delivery method to use SMTP or File instead of
Sendmail will also protect you from the potential exploit.
In Mail, instructions on how to use the SMTP or File delivery
methods can be found at:
http://rdoc.info/github/mikel/mail/master/Mail/SMTP
http://rdoc.info/github/mikel/mail/master/Mail/FileDelivery

For Ruby on Rails users, delivery method settings can be found at:
http://guides.rubyonrails.org/action_mailer_basics.html

Patch
------------------------------------------------------------------
A patch can be found at the following URL for the Mail Sendmail
class for those who are running an earlier version of Mail and
can not update to the latest version.
https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch

Credits
------------------------------------------------------------------
Thanks to Andy Lindeman for initially reporting the vulnerability
and providing a patch fix and to Steven Lorek for also reporting
the issue.

--
Cheers

Koz

Reply all
Reply to author
Forward
0 new messages