Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-489-1 ruby-mail

Debian Security Advisory

DLA-489-1 ruby-mail -- LTS security update

Date Reported:

25 May 2016

Affected Packages:

ruby-mail

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

This security update fixes a security issue in ruby-mail. We recommend you upgrade your ruby-mail package.

Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) released a whitepaper entitled SMTP Injection via recipient email addresses (http://www.mbsd.jp/Whitepaper/smtpi.pdf). This whitepaper has a section discussing how one such vulnerability affected the mail ruby gem (see section 3.1).

Whitepaper has all the specific details, but basically the mail ruby gem module is prone to the recipient attack as it does not validate nor sanitize given recipient addresses. Thus, the attacks described in chapter 2 of the whitepaper can be applied to the gem without any modification. The mail ruby gem itself does not impose a length limit on email addresses, so an attacker can send a long spam message via a recipient address unless there is a limit on the application's side. This vulnerability affects only the applications that lack input validation.

For Debian 7 Wheezy, these problems have been fixed in version 2.4.4-2+deb7u1.

Further information about Debian LTS security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS