Title: jspec-steventux 3.3.2.1 /tmp vulnerability

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/jspec-steventux

Description: "JSpec is a minimalistic JavaScript behavior driven development framework, providing simple installation, extremely low learning curve, absolutely no pollution to core prototypes, async request support, and incredibly sexy syntax, tons of matchers and much more."

Vulnerabilities

1. The install function creates unsafely a temp file in /tmp to store the download of rhino.zip, a malicious local user could replace this file with one of their own installing a modified jar file.
2. If a remote user can control #{uri} they can inject commands directly into the shell as no santization of the variable is done.

jspec-steventux-3.3.2.1/src/installables.rb:

145       def install
146         say "... fetching #{uri}"; `curl #{uri} -o /tmp/rhino.zip 2> /dev/nu    ll` 
147         say "... decompressing"; `unzip /tmp/rhino.zip -d /tmp`
148         say "... installing to #{path}"; `mv /tmp/rhino1_7R2/js.jar #{path}`
149       end

Vendor: Not notified, I don't think this code is maintained any longer.