FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-mail -- Remote Arbitrary Shell Command Injection Vulnerability

Affected packages
rubygem-mail < 2.2.15

Details

VuXML ID 1cae628c-3569-11e0-8e81-0022190034c0
Discovery 2011-01-25
Entry 2011-02-10

Secunia reports:

Input passed via an email from address is not properly sanitised in the "deliver()" function (lib/mail/network/delivery_methods/sendmail.rb) before being used as a command line argument. This can be exploited to inject arbitrary shell commands.

References

Bugtraq ID 46021
CVE Name CVE-2011-0739
URL http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1
URL http://secunia.com/advisories/43077/