sup Remote Command Execution

`Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++->  
  
[ Authors ]  
joernchen <joernchen () phenoelit de>  
  
Phenoelit Group (http://www.phenoelit.de)  
  
[ Affected Products ]  
sup <= 0.14.1 (on non Darwin systems)  
sup <= 0.13.2 (on non Darwin systems)   
http://supmua.org  
  
[ Vendor communication ]  
2013-10-28 Send vulnerability details to sup maintainer  
2013-10-28 Maintainer proposes fix  
2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1]  
2013-10-29 Release of this advisory  
  
[ Description ]  
  
Observe in sup/lib/sup/message_chunks.rb:  
  
def view_default! path  
## please see note in write_to_disk on important usage  
## of quotes to avoid remote command injection.  
case RbConfig::CONFIG['arch']  
when /darwin/  
cmd = "open #{path}"  
else  
cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"  
end  
debug "running: #{cmd.inspect}"  
BufferManager.shell_out(cmd)  
$? == 0  
end  
  
Here @content_type is attacker controlled and not further   
sanitized. By this a forged content type of an email   
attachment can trigger a command injection.  
  
[ Example ]  
For convenience the email delivering this file serves as an  
example. When viewing this attachment in a vulnerable version  
of sup the content type being "text/'`id>/tmp/whatsup`'pwn"  
will generate a file "whatsup" in the /tmp directory.  
  
[ Solution ]  
Upgrade to version 0.14.1.1 or 0.13.2.1  
  
[ References ]  
[0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175  
[1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html  
  
[ end of file ]  
`