sup 0.13.2 → 0.13.2.1

data/CONTRIBUTORS

@@ -11,7 +11,6 @@ Eric Sherman <hyperbolist at the gmail dot coms>
 Tero Tilus <tero at the tilus dot nets>
 Ben Walton <bwalton at the artsci.utoronto dot cas>
 Mike Stipicevic <stipim at the rpi dot edus>
-Whyme.Lyu <callme5long at the gmail dot coms>
 Marcus Williams <marcus-sup at the bar-coded dot nets>
 Lionel Ott <white.magic at the gmx dot des>
 Gaudenz Steinlin <gaudenz at the soziologie dot chs>
@@ -45,21 +44,21 @@ Andrew Pimlott <andrew at the pimlott dot nets>
 Jeff Balogh <its.jeff.balogh at the gmail dot coms>
 Matías Aguirre <matiasaguirre at the gmail dot coms>
 Kornilios Kourtis <kkourt at the cslab.ece.ntua dot grs>
-Kevin Riggle <kevinr at the free-dissociation dot coms>
 Giorgio Lando <patroclo7 at the gmail dot coms>
+Kevin Riggle <kevinr at the free-dissociation dot coms>
 Benoît PIERRE <benoit.pierre at the gmail dot coms>
 Alvaro Herrera <alvherre at the alvh.no-ip dot orgs>
 Steven Lawrance <stl at the koffein dot nets>
 Jonah <Jonah at the GoodCoffee dot cas>
 ian <itaylor at the uark dot edus>
-MichaelRevell <mikearevell at the gmail dot coms>
 Adam Lloyd <adam at the alloy-d dot nets>
-Todd Eisenberger <teisenbe at the andrew.cmu dot edus>
 Gregor Hoffleit <gregor at the sam.mediasupervision dot des>
+MichaelRevell <mikearevell at the gmail dot coms>
+Todd Eisenberger <teisenbe at the andrew.cmu dot edus>
 Steven Walter <swalter at the monarch.(none)>
+Jon M. Dugan <jdugan at the es dot nets>
 Jonathan Lassoff <jof at the thejof dot coms>
 Matthieu Rakotojaona <matthieu.rakotojaona at the gmail dot coms>
 Stefan Lundström <lundst at the snabb.(none)>
 Matthias Vallentin <vallentin at the icir dot orgs>
-Jon M. Dugan <jdugan at the es dot nets>
 Kirill Smelkov <kirr at the landau.phys.spbu dot rus>

data/History.txt

@@ -1,3 +1,7 @@
+== 0.13.2.1 / 2013-10-29
+
+* SBU1: security release
+
 == 0.13.2 / 2013-06-26
 
 * FreeBSD 10 comptability

data/ReleaseNotes

@@ -1,3 +1,26 @@
+Release 0.13.2.1:
+
+Security advisory (#SBU1) for Sup
+
+We have been notified of an potential exploit in the somewhat careless
+way Sup treats attachment metadata in received e-mails. The issues
+should now be fixed and I have released Sup 0.13.2.1 and 0.14.1.1 which
+incorporates these fixes. Please upgrade immediately and also ensure
+that your mime-decode or mime-view hooks are secure [0], [1].
+
+This is specifically related to using quotes (',") around filename or
+content_type which is already escaped using Ruby Shellwords.escape -
+this means that the string (content_type, filename) is intended to be
+used _without_ any further quotes. Please make sure that if you use
+.mailcap (non OSX systems), you do not quote the string.
+
+Credit goes to: joernchen of Phenoelit (http://phenoelit.de) who
+discovered and suggested fixes for these issues.
+
+[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments
+[1] https://github.com/sup-heliotrope/sup/wiki/Secure-usage-of-Sup
+
+
 Release 0.13.2:
 
 FreeBSD compatability and more thread safe polling.

data/lib/sup/message_chunks.rb

@@ -1,5 +1,6 @@
 require 'tempfile'
 require 'rbconfig'
+require 'shellwords'
 
 ## Here we define all the "chunks" that a message is parsed
 ## into. Chunks are used by ThreadViewMode to render a message. Chunks
@@ -59,6 +60,8 @@ end
 module Redwood
 module Chunk
   class Attachment
+    ## please see note in write_to_disk on important usage
+    ## of quotes to avoid remote command injection.
     HookManager.register "mime-decode", <<EOS
 Decodes a MIME attachment into text form. The text will be displayed
 directly in Sup. For attachments that you wish to use a separate program
@@ -75,6 +78,9 @@ Return value:
   The decoded text of the attachment, or nil if not decoded.
 EOS
 
+
+    ## please see note in write_to_disk on important usage
+    ## of quotes to avoid remote command injection.
     HookManager.register "mime-view", <<EOS
 Views a non-text MIME attachment. This hook allows you to run
 third-party programs for attachments that require such a thing (e.g.
@@ -100,8 +106,18 @@ EOS
     attr_reader :content_type, :filename, :lines, :raw_content
     bool_reader :quotable
 
+    ## store tempfile objects as class variables so that they
+    ## are not removed when the viewing process returns. they
+    ## should be garbage collected when the class variable is removed.
+    @@view_tempfiles = []
+
     def initialize content_type, filename, encoded_content, sibling_types
       @content_type = content_type.downcase
+      if Shellwords.escape(@content_type) != @content_type
+        warn "content_type #{@content_type} is not safe, changed to application/octet-stream"
+        @content_type = 'application/octet-stream'
+      end
+
       @filename = filename
       @quotable = false # changed to true if we can parse it through the
                         # mime-decode hook, or if it's plain text
@@ -116,7 +132,9 @@ EOS
       when /^text\/plain\b/
         @raw_content
       else
-        HookManager.run "mime-decode", :content_type => content_type,
+        ## please see note in write_to_disk on important usage
+        ## of quotes to avoid remote command injection.
+        HookManager.run "mime-decode", :content_type => @content_type,
                         :filename => lambda { write_to_disk },
                         :charset => encoded_content.charset,
                         :sibling_types => sibling_types
@@ -147,11 +165,13 @@ EOS
     def initial_state; :open end
     def viewable?; @lines.nil? end
     def view_default! path
+      ## please see note in write_to_disk on important usage
+      ## of quotes to avoid remote command injection.
       case RbConfig::CONFIG['arch']
         when /darwin/
-          cmd = "open '#{path}'"
+          cmd = "open #{path}"
         else
-          cmd = "/usr/bin/run-mailcap --action=view '#{@content_type}:#{path}'"
+          cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"
       end
       debug "running: #{cmd.inspect}"
       BufferManager.shell_out(cmd)
@@ -159,17 +179,31 @@ EOS
     end
 
     def view!
-      path = write_to_disk
-      ret = HookManager.run "mime-view", :content_type => @content_type,
-                                         :filename => path
-      ret || view_default!(path)
+      ## please see note in write_to_disk on important usage
+      ## of quotes to avoid remote command injection.
+      write_to_disk do |file|
+
+        @@view_tempfiles.push file # make sure the tempfile is not garbage collected before sup stops
+
+        ret = HookManager.run "mime-view", :content_type => @content_type,
+                                           :filename => file.path
+        ret || view_default!(file.path)
+      end
     end
 
+    ## note that the path returned from write_to_disk is
+    ## Shellwords.escaped and is intended to be used without single
+    ## or double quotes. the use of either opens sup up for remote
+    ## code injection through the file name.
     def write_to_disk
-      file = Tempfile.new(["sup", @filename.gsub("/", "_") || "sup-attachment"])
-      file.print @raw_content
-      file.close
-      file.path
+      begin
+        file = Tempfile.new(["sup", Shellwords.escape(@filename.gsub("/", "_")) || "sup-attachment"])
+        file.print @raw_content
+        yield file if block_given?
+        return file.path
+      ensure
+        file.close
+      end
     end
 
     ## used when viewing the attachment as text
@@ -229,7 +263,7 @@ EOS
   class EnclosedMessage
     attr_reader :lines
     def initialize from, to, cc, date, subj
-      @from = from ? "unknown sender" : from.full_adress
+      @from = from ? "unknown sender" : from.full_address
       @to = to ? "" : to.map { |p| p.full_address }.join(", ")
       @cc = cc ? "" : cc.map { |p| p.full_address }.join(", ")
       if date

data/lib/sup/version.rb

@@ -1,3 +1,3 @@
 module Redwood
-  VERSION = "0.13.2"
+  VERSION = "0.13.2.1"
 end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sup
 version: !ruby/object:Gem::Version
-  version: 0.13.2
+  version: 0.13.2.1
   prerelease: 
   segments:
   - 0
   - 13
   - 2
-  hash: 1496957733399950236
+  - 1
+  hash: 3165895177967591158
 platform: ruby
 authors:
 - William Morgan
@@ -16,37 +17,8 @@ authors:
 - Matthieu Rakotojaona
 autorequire: 
 bindir: bin
-cert_chain:
-- !binary |-
-  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWRENDQWp5Z0F3SUJB
-  Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREJRTVFzd0NRWURWUVFEREFKbFp6
-  RVYKTUJNR0NnbVNKb21UOGl4a0FSa1dCV2RoZFhSbE1SVXdFd1lLQ1pJbWla
-  UHlMR1FCR1JZRmRtVjBjMm94RXpBUgpCZ29Ka2lhSmsvSXNaQUVaRmdOamIy
-  MHdIaGNOTVRNd05UQTRNVEF6T0RRM1doY05NVFF3TlRBNE1UQXpPRFEzCldq
-  QlFNUXN3Q1FZRFZRUUREQUpsWnpFVk1CTUdDZ21TSm9tVDhpeGtBUmtXQldk
-  aGRYUmxNUlV3RXdZS0NaSW0KaVpQeUxHUUJHUllGZG1WMGMyb3hFekFSQmdv
-  SmtpYUprL0lzWkFFWkZnTmpiMjB3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFV
-  QUE0SUJEd0F3Z2dFS0FvSUJBUUM3c05jNXpZNE1yWUI3ZXl3RS9hSzJJb0Rx
-  cE05bHE0WkZsSHp0ClBtcTFMRzZhaDJsdS9IZmpxeGlQb3F3WTdRa2RTT0dE
-  TFNrN0c4WUJxREEvdE9EaGtQUFNUcXhCRHpZeUNPNDYKaGFXVHRvTjV0Smt4
-  SURKS3AxblZYSGkwTWxiNEdKVktkOVAwcTk1QmVCWUJmczh2eVBOK3k0YjRH
-  ZWJneDlVMwpLcU1EYmU1aDlNQVBaR210aVJGTWIzdWdtaXVqRG03djhmQUNh
-  NUV0U3ZLL2x4TWtSRGdsZWNUL2tuRTk5TllJCmwzNVNPL0J1bmUxYnhZbWt3
-  VzY0bVE0d1JsR1ZlQW5YKzE5bXNBTGZTOXJkSkwyNmRmVzJMZ3FXaTVRb1ZU
-  QkgKS05LVGwvaTNmeEswbXpndG5vUkNXZE1KUUZOTm9uRlRuUFVVYXdpMWM5
-  S2g0QWRQQWdNQkFBR2pPVEEzTUFrRwpBMVVkRXdRQ01BQXdIUVlEVlIwT0JC
-  WUVGSk5DT3hMMFNXY2JXMk0rRElFVXpBTXoxYlpzTUFzR0ExVWREd1FFCkF3
-  SUVzREFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBcjNRVWF5ZDBnZUJERXhP
-  K1d3emFFUEF1VVozeldRWUcKRzl2cnBsQ2ttSnRqUy9YL3dWQWVmN0puL1Y1
-  TU5rWEtYc2lPZ1hKWGtpK243SHVsTlpVZjFyenI3VW45NmdWSgoxaHEvWlR1
-  YXBuUHBzdEJxcWR2NjBSQjhITkd5ZEhRZUV6NnVzNXozbmorS2NoUHFKNjU3
-  RHo4b1gvTm02LzI0CjdRU1FwQ2g4eEJZZFNXRXBvSUUwelVTWTc3THRWVFJW
-  d0lyOXVEcFdUVHI5a0NWQklOQnNPUU5qV0tydUVXalYKK0pNdURzK2lXZWZw
-  RjRSM0J5U29PYzFRNFdvRVMzK29jMHFvMzdNc0FaeWZuUUlQVFpreUxaQ014
-  ZUw2TWhhNApoRmMyeUFOQmo4dm9hWTVDNzRDZzJWcUV4dGNuU2F4VXRXOXdD
-  NHc1aE9sZzBBVmZiMUpXemc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
-  Cg==
-date: 2013-06-26 00:00:00.000000000 Z
+cert_chain: []
+date: 2013-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: xapian-full-alaveteli
@@ -60,7 +32,7 @@ dependencies:
         segments:
         - 1
         - 2
-        hash: -3733181840957152875
+        hash: 868825659676859863
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -73,7 +45,7 @@ dependencies:
         segments:
         - 1
         - 2
-        hash: -3733181840957152875
+        hash: 868825659676859863
 - !ruby/object:Gem::Dependency
   name: ncursesw-sup
   requirement: !ruby/object:Gem::Requirement
@@ -86,7 +58,7 @@ dependencies:
         segments:
         - 1
         - 3
-        hash: -876597745176914036
+        hash: 507327302350482719
     - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.3.1
@@ -95,7 +67,7 @@ dependencies:
         - 1
         - 3
         - 1
-        hash: -640291375575489877
+        hash: 3105951872946229212
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -108,7 +80,7 @@ dependencies:
         segments:
         - 1
         - 3
-        hash: -876597745176914036
+        hash: 507327302350482719
     - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.3.1
@@ -117,7 +89,7 @@ dependencies:
         - 1
         - 3
         - 1
-        hash: -640291375575489877
+        hash: 3105951872946229212
 - !ruby/object:Gem::Dependency
   name: rmail
   requirement: !ruby/object:Gem::Requirement
@@ -130,7 +102,7 @@ dependencies:
         segments:
         - 0
         - 17
-        hash: -2258731216383999369
+        hash: 3437085760670918924
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -143,7 +115,7 @@ dependencies:
         segments:
         - 0
         - 17
-        hash: -2258731216383999369
+        hash: 3437085760670918924
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -155,7 +127,7 @@ dependencies:
         prerelease: 
         segments:
         - 0
-        hash: -3965538710650358713
+        hash: 780439954604562836
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -167,7 +139,7 @@ dependencies:
         prerelease: 
         segments:
         - 0
-        hash: -3965538710650358713
+        hash: 780439954604562836
 - !ruby/object:Gem::Dependency
   name: trollop
   requirement: !ruby/object:Gem::Requirement
@@ -180,7 +152,7 @@ dependencies:
         segments:
         - 1
         - 12
-        hash: -2988883823466951243
+        hash: -1471803907522368170
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -193,7 +165,7 @@ dependencies:
         segments:
         - 1
         - 12
-        hash: -2988883823466951243
+        hash: -1471803907522368170
 - !ruby/object:Gem::Dependency
   name: lockfile
   requirement: !ruby/object:Gem::Requirement
@@ -205,7 +177,7 @@ dependencies:
         prerelease: 
         segments:
         - 0
-        hash: -3965538710650358713
+        hash: 780439954604562836
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -217,7 +189,7 @@ dependencies:
         prerelease: 
         segments:
         - 0
-        hash: -3965538710650358713
+        hash: 780439954604562836
 - !ruby/object:Gem::Dependency
   name: mime-types
   requirement: !ruby/object:Gem::Requirement
@@ -229,7 +201,7 @@ dependencies:
         prerelease: 
         segments:
         - 1
-        hash: -1212563861242074830
+        hash: -2685865212927832791
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -241,7 +213,7 @@ dependencies:
         prerelease: 
         segments:
         - 1
-        hash: -1212563861242074830
+        hash: -2685865212927832791
 - !ruby/object:Gem::Dependency
   name: locale
   requirement: !ruby/object:Gem::Requirement
@@ -254,7 +226,7 @@ dependencies:
         segments:
         - 2
         - 0
-        hash: 1592099054184333623
+        hash: -535226096568000350
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -267,7 +239,7 @@ dependencies:
         segments:
         - 2
         - 0
-        hash: 1592099054184333623
+        hash: -535226096568000350
 - !ruby/object:Gem::Dependency
   name: chronic
   requirement: !ruby/object:Gem::Requirement
@@ -280,7 +252,7 @@ dependencies:
         segments:
         - 0
         - 9
-        hash: 2378526325938346664
+        hash: 2184205100294773721
     - - ! '>='
       - !ruby/object:Gem::Version
         version: 0.9.1
@@ -289,7 +261,7 @@ dependencies:
         - 0
         - 9
         - 1
-        hash: 4569877028918522321
+        hash: -1556404584947433146
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -302,7 +274,7 @@ dependencies:
         segments:
         - 0
         - 9
-        hash: 2378526325938346664
+        hash: 2184205100294773721
     - - ! '>='
       - !ruby/object:Gem::Version
         version: 0.9.1
@@ -311,7 +283,7 @@ dependencies:
         - 0
         - 9
         - 1
-        hash: 4569877028918522321
+        hash: -1556404584947433146
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement

metadata.gz.sig

@@ -1,3 +0,0 @@
-/�F�;V��*->Ɂ����g'��Z����s2��Y*3A��\_`�m��өL%�A�􄅫��uA;1G�l��>aH�C��$?S
8��K^�	���8�h�&��UQ��*��X��j���nz����0�
��a��'�w0ք�L�Ք����qA@|#PKL���
-M}"�o��W�-l+1�񣞭ʐ��-~ZB�,����)��p-�
-�L���%s�����|�����Б����B9�T�������'�