From 2931ed1db673fe896f47c90f239ede6af79f47bc Mon Sep 17 00:00:00 2001 From: Xin LI Date: Mon, 22 Jun 2015 07:13:46 +0000 Subject: [PATCH] Document rubygem-paperclip validation bypass vulnerabilitiy. PR: 200979 Submitted by: Jason Unovitch --- security/vuxml/vuln.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index da85ec36890f..6bc9781fc4f1 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -57,6 +57,42 @@ Notes: --> + + rubygem-paperclip -- validation bypass vulnerabilitiy + + + rubygem-paperclip + 4.2.2 + + + + +

Jon Yurek reports:

+
+

Thanks to MORI Shingo of DeNA Co., Ltd. for reporting this.

+

There is an issue where if an HTML file is uploaded with a .html + extension, but the content type is listed as being `image/jpeg`, + this will bypass a validation checking for images. But it will also + pass the spoof check, because a file named .html and containing + actual HTML passes the spoof check.

+

This change makes it so that we also check the supplied content + type. So even if the file contains HTML and ends with .html, it + doesn't match the content type of `image/jpeg` and so it fails.

+
+ + + + CVE-2015-2963 + https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57 + https://robots.thoughtbot.com/paperclip-security-release + http://jvn.jp/en/jp/JVN83881261/index.html + + + 2015-06-05 + 2015-06-22 + + + chicken -- Potential buffer overrun in string-translate*