CVE-2015-9097: prevent SMTP command injection via To/From addresses #1097
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jeremy
force-pushed
the
security/smtp-injection
branch
from
7c2bc76
to
6671495
Compare
Validate addresses passed as SMTP command arguments to prevent injection of other SMTP commands. Disallow line breaks and very long addresses which may cause overflows on some old SMTP servers. Ruby 2.4 Net::SMTP already disallows addresses that contain newlines. Enforce this validation in Mail to cover older Ruby versions and other SMTP implementations that don't validate input. SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf Ruby security report: https://hackerone.com/reports/137631 OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677
jeremy
force-pushed
the
security/smtp-injection
branch
from
6671495
to
31c6ca4
Compare
This was referenced May 9, 2017
This was referenced May 9, 2017
buren
added a commit
to justarrived/just_match_api
that referenced
this pull request
May 10, 2017
|
@jeremy when might we expect an official 2.6.6 release for this? Currently I only see a |
|
@jordan-brough Expect an official 2.6.6 after RC1 has had a fair number of installs to shake out regressions. Note than 2.6.x is (coincidentally) not vulnerable to this issue, thanks to #505 stripping CRLF from header values. |
amatriain
added a commit
to amatriain/feedbunch
that referenced
this pull request
May 15, 2017
This fixes a vulnerability that allows users to send spam from any form that allows email input (e.g. signup). For more about the vulnerability see: mikel/mail#1097 When implicit dependency resolution in Gemfile.lock resolves to a released mail version that includes the fix, the explicit dependency in Gemfile will be removed.
drewda
added a commit
to transitland/transitland-datastore
that referenced
this pull request
Jun 1, 2017
see mikel/mail#1097 TODO: remove once mikel/mail#1116 is addressed
eviltrout
added a commit
to discourse/discourse
that referenced
this pull request
Jun 1, 2017
eviltrout
added a commit
to discourse/discourse
that referenced
this pull request
Jun 1, 2017
eviltrout
added a commit
to discourse/discourse
that referenced
this pull request
Jun 1, 2017
|
One month and >10,000 downloads for 2.6.6.rc1. |
ylansegal
added a commit
to ylansegal/tokenator
that referenced
this pull request
Jun 9, 2017
jeremyolliver
added a commit
to jeremyolliver/ruby-advisory-db
that referenced
this pull request
Jun 12, 2017
As per comment mikel/mail#1097 (comment) versions 2.5.5 and 2.6.6 include patches for this issue, 2.6.0 to 2.6.5 do not mikel/mail 2-6-stable branch fixes in commit 37908c37dfb26ea262d0fa7916cd9bbee3750e63 mikel/mail 2-5-stable branch fixes in commit f4239e4cc03d982219a6fa58e059d8758bbd2d8f
jeremy
changed the title
ulferts
added a commit
to opf/openproject
that referenced
this pull request
Jun 13, 2017
OP is not affected by the vulnerability as: * We limit the length of mail fields * 2.6.x is not vulnerable at all (mikel/mail#1097 (comment)) But gemnasium complains and this produces a red badge which looks bad. The rc has been around for some time now, so it should be stable enough. I expect to bump the version once the official 2.6.6 has been released.
oliverguenther
pushed a commit
to opf/openproject
that referenced
this pull request
Jun 14, 2017
OP is not affected by the vulnerability as: * We limit the length of mail fields * 2.6.x is not vulnerable at all (mikel/mail#1097 (comment)) But gemnasium complains and this produces a red badge which looks bad. The rc has been around for some time now, so it should be stable enough. I expect to bump the version once the official 2.6.6 has been released. [ci skip]
boltronics
pushed a commit
to sitepoint/discourse
that referenced
this pull request
Oct 10, 2017
thegcat
pushed a commit
to planio-gmbh/mail
that referenced
this pull request
Jan 26, 2018
Mail 2.6.6 Security: * mikel#1097 – SMTP security: prevent command injection via To/From addresses. (jeremy) Bugs: * mikel#689 - Fix Exim delivery method broken by mikel#477 in 2.5.4. (jethrogb)
This was referenced Mar 12, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Validate addresses passed as SMTP command arguments to prevent
injection of other SMTP commands. Disallow line breaks and very
long addresses which may cause overflows on some old SMTP servers.
Ruby 2.4 Net::SMTP already disallows addresses that contain newlines.
Enforce this validation in Mail to cover older Ruby versions and
other SMTP implementations that don't validate input.
SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf
Ruby security report: https://hackerone.com/reports/137631
OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677