Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: espeak-ruby
date: 2016-04-13
url: https://github.com/dejan/espeak-ruby/issues/7
cve: 2016-10193
title: espeak-ruby Gem for Ruby Arbitrary Command Execution
description: |
  espeak-ruby passes user modifiable strings directly to a shell
  command. An attacker can execute malicious commands by modifying
  the strings that are passed as arguments to the speak, save, bytes
  and bytes_wav methods in the lib/espeak/speech.rb library.
patched_versions:
- ">= 1.0.3"