Moderate severityNVD Advisory· Published Dec 7, 2013· Updated Apr 29, 2026

CVE-2013-4478

Description

Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
supRubyGems	< 0.13.2.1	0.13.2.1
supRubyGems	>= 0.14.0, < 0.14.1.1	0.14.1.1

Affected products

Supmua/Sup5 versions
cpe:2.3:a:supmua:sup:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:supmua:sup:*:*:*:*:*:*:*:*range: <=0.13.2
- cpe:2.3:a:supmua:sup:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:supmua:sup:0.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:supmua:sup:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:supmua:sup:0.14.1:*:*:*:*:*:*:*

Patches

8b46cdbfc14e

security: shellwords escape attachment file names to prevent remote code injection

https://github.com/sup-heliotrope/supGaute HopeOct 28, 2013via ghsa

commit

2 files changed · +20 −4

doc/Hooks.txt+2 −1 modified

@@ -50,10 +50,11 @@ before-poll:
 mime-decode:
   ## turn text/html attachments into plain text, unless they are part
   ## of a multipart/alternative pair
+  require 'shellwords'
   unless sibling_types.member? "text/plain"
     case content_type
     when "text/html"
-      `/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
+      `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`
     end
   end

lib/sup/message_chunks.rb+18 −3 modified

@@ -60,6 +60,8 @@ def make_tmpname(prefix_suffix, n)
 module Redwood
 module Chunk
   class Attachment
+    ## please see note in write_to_disk on important usage
+    ## of quotes to avoid remote command injection.
     HookManager.register "mime-decode", <<EOS
 Decodes a MIME attachment into text form. The text will be displayed
 directly in Sup. For attachments that you wish to use a separate program
@@ -76,6 +78,9 @@ class Attachment
   The decoded text of the attachment, or nil if not decoded.
 EOS
 
+
+    ## please see note in write_to_disk on important usage
+    ## of quotes to avoid remote command injection.
     HookManager.register "mime-view", <<EOS
 Views a non-text MIME attachment. This hook allows you to run
 third-party programs for attachments that require such a thing (e.g.
@@ -122,6 +127,8 @@ def initialize content_type, filename, encoded_content, sibling_types
       when /^text\/plain\b/
         @raw_content
       else
+        ## please see note in write_to_disk on important usage
+        ## of quotes to avoid remote command injection.
         HookManager.run "mime-decode", :content_type => content_type,
                         :filename => lambda { write_to_disk },
                         :charset => encoded_content.charset,
@@ -153,18 +160,22 @@ def expandable?; !viewable? end
     def initial_state; :open end
     def viewable?; @lines.nil? end
     def view_default! path
+      ## please see note in write_to_disk on important usage
+      ## of quotes to avoid remote command injection.
       case RbConfig::CONFIG['arch']
         when /darwin/
-          cmd = "open '#{path}'"
+          cmd = "open #{path}"
         else
-          cmd = "/usr/bin/run-mailcap --action=view '#{@content_type}:#{path}'"
+          cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"
       end
       debug "running: #{cmd.inspect}"
       BufferManager.shell_out(cmd)
       $? == 0
     end
 
     def view!
+      ## please see note in write_to_disk on important usage
+      ## of quotes to avoid remote command injection.
       write_to_disk do |file|
 
         @@view_tempfiles.push file # make sure the tempfile is not garbage collected before sup stops
@@ -175,6 +186,10 @@ def view!
       end
     end
 
+    ## note that the path returned from write_to_disk is
+    ## Shellwords.escaped and is intended to be used without single
+    ## or double quotes. the use of either opens sup up for remote
+    ## code injection in the file name.
     def write_to_disk
       begin
         file = Tempfile.new(["sup", Shellwords.escape(@filename.gsub("/", "_")) || "sup-attachment"])
@@ -243,7 +258,7 @@ def color; :sig_color end
   class EnclosedMessage
     attr_reader :lines
     def initialize from, to, cc, date, subj
-      @from = from ? "unknown sender" : from.full_adress
+      @from = from ? "unknown sender" : from.full_address
       @to = to ? "" : to.map { |p| p.full_address }.join(", ")
       @cc = cc ? "" : cc.map { |p| p.full_address }.join(", ")
       if date

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785nvdExploitPatchWEB
secunia.com/advisories/55294nvdVendor Advisory
secunia.com/advisories/55400nvdVendor Advisory
github.com/advisories/GHSA-5f2p-6vjv-2q2mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4478ghsaADVISORY
rubyforge.org/pipermail/sup-talk/2013-August/004993.htmlnvdWEB
rubyforge.org/pipermail/sup-talk/2013-October/004996.htmlnvdWEB
www.debian.org/security/2012/dsa-2805nvdWEB
www.openwall.com/lists/oss-security/2013/10/30/2nvdWEB
www.phenoelit.org/stuff/whatsup.txtghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/sup/CVE-2013-4478.ymlghsaWEB
web.archive.org/web/20140524005344/http://rubyforge.org/pipermail/sup-talk/2013-October/004996.htmlghsaWEB
web.archive.org/web/20140524012714/http://rubyforge.org/pipermail/sup-talk/2013-August/004993.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000