Ruby Gem sfpagent 0.4.14 Command Injection

`Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14  
  
Date: 4/15/2014  
  
Author: Larry W. Cashdollar, @_larry0  
  
CVE: 2014-2888  
  
Download: http://rubygems.org/gems/sfpagent  
  
Vulnerability  
The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on the remote system as the sfpagent running user id.  
  
637 code, body = get_data(address, port, '/modules')  
638 raise Exception, "Unable to get modules list from {name}" if code.to_i != 200  
639   
640 modules = JSON[body]  
641 list = ''  
642 schemata.each { |m|  
643 list += "{m} " if File.exist?("{modules_dir}/{m}") and  
644 (not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s)  
645 }  
646   
647 return true if list == ''  
648   
649 if system("cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")  
650 Sfp::Agent.logger.info "Push modules #{list}to #{name} [OK]"  
651 else  
652 Sfp::Agent.logger.warn "Push modules #{list}to #{name} [Failed]"  
653 end  
654   
655 return true  
  
Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.  
  
Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html  
  
  
`