[DRE-maint] Bug#864561: ruby-mail: vulnerable to SMTP Injection via recipient email addresses

Georg Faerber georg at riseup.net
Sat Jun 10 17:22:21 UTC 2017


Package: ruby-mail
Severity: important
Tags: upstream fixed-upstream security

Rubysec advisory [1]: "Because the Mail Gem for Ruby does not validate or
impose a length limit on email address fields, an attacker can modify
messages sent with the gem via a specially-crafted recipient email
address.

Applications that validate email address format are not affected by this
vulnerability.

The recipient attack is described in Terada, Takeshi. "SMTP Injection
via Recipient Email Addresses." 2015. The attacks described in the paper
(Terada, p. 4) can be applied to the library without any modification."

Upstream fix targeting 2.5 [2]; upstream fix targeting 2.6 [3].

[1] https://rubysec.com/advisories/mail-OSVDB-131677
[2] https://github.com/mikel/mail/pull/1099
[3] https://github.com/mikel/mail/pull/1098
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20170610/3870c076/attachment.sig>


More information about the Pkg-ruby-extras-maintainers mailing list