Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201407111021.s6BALT8v022422@linus.mitre.org>
Date: Fri, 11 Jul 2014 06:21:29 -0400 (EDT)
From: cve-assign@...re.org
To: larry0@...com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are not sure of the best way to interpret statements such as

> If this Gem is used in the context of a Rails application it maybe
> possible for a remote user to inject commands into the shell via
> #{password} #{user} #{deploy_name} #{application} variables if that
> data is user supplied.

At this level, one question might be: is it possible that this Gem
wasn't ever intended to be used in the context of a Rails application?
(This question may also apply to some other recent CVE requests.)

At a slightly higher level:

http://rubygems.org/gems/kompanee-recipes says "These are the common
recipes we've been using here at The Kompanee." It seems unclear
whether this is really intended to have widespread use as-is except by
thekompanee.com insiders. For example, parts of it seem highly
site-specific such as lib/kompanee-recipes/bash.rb "This will install
a more secure SSH environment ... it will ... change the default
port ... ln -fs /usr/share/kompanee-common/ssh/sshd_config
/etc/ssh/sshd_config" or lib/kompanee-recipes/environment.rb 'Sets
intelligent defaults for Kompanee Rackspace deployments ... :domain,
"thekompanee.com" ... :server_ip, "174.143.212.245" ... Most of these
values can be overridden in each application's deploy.rb file.
Unfortunately some of them can't be such as :scm but they're our
recipies so... LIVE WITH IT.'

In general, code can be publicly distributed but, realistically,
site-specific. It would perhaps be reasonable to decline to assign CVE
IDs for anything in kompanee-recipes because the entire Gem is
arguably being published as example code that could be adapted by
other organizations, not as a general-use product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTv7oIAAoJEKllVAevmvmsKcgIAMLvYt3CXRyjdeJXFshRaOjR
lw+XRRVez3c3TuuD7fpJdySJgneYIwqhkCPgVrroWsbK1s/9dudWz7urYOgbi3Mc
LaFNZlUgM+phWf3mGFUEk3eHWBJ/e1DD7+WMxYzkoh1Rs4NAOoeCnBmDfSv35gaP
bp0eVlgzMthvnoOs/EO3eXWmYR+8rD6CNugTvusKXceUa+HZgY+L/F4ijSXaeZbk
DTS+ZuMFYHBjAh2tfE9Bel82EqaMLlEzIwFGwLZuJE6spHex26cR1k4fOE6p3wBN
BaZi3u8DDe7hG2Dd+ZffIUO2aPh8fqIsd3vxazYHWUKkIvPZsZkYtSj790WrtZ4=
=gOdq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.