codesake-dawn 1.1.1 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 36ef1462b17193335545803ba645b1d23e9fb8fc
-  data.tar.gz: 968fb71145e469a485a61a6c667b0c5050ad3058
+  metadata.gz: 9c98dc1ac9b498221f9259088c579414dc2c1702
+  data.tar.gz: adebc95880499394348fb5216bc625f4facb82e4
 SHA512:
-  metadata.gz: a8be5a4f078b5ca275666ea80e49d719877832710e820f73856a91cd9c90d7f0f530173c3f92389baff45ad19c0a70656c9ee6985b1b106c196e83714e1ad640
-  data.tar.gz: 3d57b1c811cb6dc542789735803ae14106e888313061bb0f2fb14c1536baa531e989882dbc2cbb6edc899d984df249d7191b93a59678c879ba938288845a8bc9
+  metadata.gz: 10f26e434ae808c9ec4407ca24be27cf42c45651b36938348ab972e77ce65e84315b208da040d0e72e7e40bf955101a909cd724293b4b8489ebaafe5ca6ea3e3
+  data.tar.gz: 08534937ffc51cf3e01a02fdad729caaeb5c7d69a12e29699fa3628ff0aaf08d3008cc0ed0934ecfcccf116c526309f7679a322d90be350fd21b7d6b547750a9

data/Changelog.md

@@ -5,7 +5,11 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Wed Apr  9 17:26:49 CEST 2014_
+_latest update: Fri Apr 18 07:55:10 CEST 2014_
+
+## Version 1.1.2 - codename: Lightning McQueen (2014-04-22)
+
+* Adding a check for OSVDB-105971: remote code execution for sfpagent ruby gem
 
 ## Version 1.1.1 - codename: Lightning McQueen (2014-04-11)
 
@@ -101,8 +105,6 @@ _latest update: Wed Apr  9 17:26:49 CEST 2014_
 
 ## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
 
-## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
-
 * Added a check for CVE-2014-2538
 
 ## Version 1.0.5 - codename: Lightning McQueen (2014-03-18)

data/checksum/codesake-dawn-1.1.1.gem.sha512

@@ -0,0 +1 @@
+27932cdcc95b44f9ebc715cfff2e66c764e13502beb5cd7775599612c108bf132f5300c0fb46e6e7fcdb84343b06bbf46cc80d6b0c1ab443bb6f6011c8557ef6

data/lib/codesake/dawn/kb/osvdb_105971.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-04-17
+			class OSVDB_105971
+				include DependencyCheck
+
+				def initialize
+          message = "sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands."
+
+           super({
+            :name=> "OSVDB-105971",
+            :cvss=>"",
+            :release_date => Date.new(2014, 4, 16),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade sfpagent version at least to 0.4.15. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["http://seclists.org/oss-sec/2014/q2/118"]
+           })
+           self.safe_dependencies = [{:name=>"sfpagent", :version=>['0.4.15']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/knowledge_base.rb

@@ -217,6 +217,11 @@ require "codesake/dawn/kb/cve_2014_2322"
 require "codesake/dawn/kb/cve_2014_2525"
 require "codesake/dawn/kb/cve_2014_2538"
 
+# OSVDB
+
+require "codesake/dawn/kb/osvdb_105971"
+
+
 module Codesake
   module Dawn
     # XXX: Check if it best using a singleton here
@@ -454,6 +459,9 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2014_2322.new,
           Codesake::Dawn::Kb::CVE_2014_2525.new,
           Codesake::Dawn::Kb::CVE_2014_2538.new,
+
+          # OSVDB Checks are still here since are all about dependencies
+          Codesake::Dawn::Kb::OSVDB_105971.new
         ]
         # END @cve_security_checks array
         # START @owasp_ror_cheatsheet_checks array

data/lib/codesake/dawn/version.rb

@@ -19,10 +19,10 @@ module Codesake
     # |   "Luigi"       |  7.0.0  |
     # | "Doc Hudson"    |  8.0.0  |
 
-    VERSION   = "1.1.1"
+    VERSION   = "1.1.2"
     CODENAME  = "Lightning McQueen"
     # RELEASE   = "(development)"
-    RELEASE   = "20140410"
+    RELEASE   = "20140422"
 
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -887,4 +887,10 @@ end
         sc.should_not   be_nil
           sc.class.should == Codesake::Dawn::Kb::CVE_2014_2525
   end
+  it "must have test for OSVDB_105971" do
+    sc = kb.find("OSVDB-105971")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::OSVDB_105971
+  end
+
 end

data/spec/lib/kb/osvdb_105971_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+describe "The OSVDB_105971 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::OSVDB_105971.new
+		# @check.debug = true
+	end
+  it "is reported when a vulnerable version it has been found (0.4.14)" do
+    @check.dependencies = [{:name=>"sfpagent", :version=>"0.4.14"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe version it has been found (0.4.15)" do
+    @check.dependencies = [{:name=>"sfpagent", :version=>"0.4.15"}]
+    @check.vuln?.should   be_false
+  end
+  it "must be filled with CVE identifier"
+  it "must be filled with CVSS information"
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.1.2
 platform: ruby
 authors:
 - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
   Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
   1LyVQIFlhF6nL0casp0ixer8N60=
   -----END CERTIFICATE-----
-date: 2014-04-11 00:00:00.000000000 Z
+date: 2014-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -284,6 +284,7 @@ files:
 - checksum/.placeholder
 - checksum/codesake-dawn-1.1.0.gem.sha512
 - checksum/codesake-dawn-1.1.0.rc1.gem.sha512
+- checksum/codesake-dawn-1.1.1.gem.sha512
 - codesake-dawn.gemspec
 - doc/codesake-dawn.yaml.sample
 - doc/dawn_1_0_announcement.md
@@ -465,6 +466,7 @@ files:
 - lib/codesake/dawn/kb/deprecation_check.rb
 - lib/codesake/dawn/kb/not_revised_code.rb
 - lib/codesake/dawn/kb/operating_system_check.rb
+- lib/codesake/dawn/kb/osvdb_105971.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb
@@ -539,6 +541,7 @@ files:
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
 - spec/lib/kb/cve_2014_2538_spec.rb
+- spec/lib/kb/osvdb_105971_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb
 - support/bootstrap.js
@@ -628,5 +631,6 @@ test_files:
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
 - spec/lib/kb/cve_2014_2538_spec.rb
+- spec/lib/kb/osvdb_105971_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb

metadata.gz.sig

@@ -1,3 +1 @@
-�1�����s�# -����^�U����;u�P��Ӯ���p��=Pe�n���I�5���M��!��)��	Z���$�NH��H��^Y�����𸠙+O�>-"}����!�j�t{o:�[��~b
-�V/ M������u����Ni]7���\�4�1w�n���A��,�,��X���1h�b�
-����*o>{��M�c;�p�
+�_���jJ�2*t�	�*/8"8"	���ͬ���c����k�m��l
� �O��3jdΏ�f�����c�M�9�bC0s��G�r�9���R�^��M�dQ�J���S`Z�(���Wtl��W�Gw���9':%2�~���D�Sg��^yr'��ߔEԑ7t��I�ܜ_�@��#�������C�s���c�Ξ���K;Ћlf`亘7�Y<U`�Y�XS���zW��ퟟ��Կ�}�@�f�$�\�