Posted by usa on 16 Dec 2015
There is an unsafe tainted string usage vulnerability in Fiddle and DL. This vulnerability has been assigned the CVE identifier CVE-2015-7551.
Details
There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.
Impacted code looks something like this:
handle = Fiddle::Handle.new(dangerous_user_input)Or:
handle = Fiddle::Handle.new(some_library)
function_pointer = handle[dangerous_user_input]All users running an affected release should either upgrade or use one of the workarounds immediately.
Affected Versions
- All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle).
- All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648 (DL and Fiddle).
- All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle).
- All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle).
- Ruby 2.3.0 preview 1 and preview 2 (Fiddle).
- prior to trunk revision 53153 (Fiddle).
Workarounds
If you cannot upgrade, the following monkey patch can be applied as a workaround for Fiddle:
class Fiddle::Handle
alias :old_initialize :initialize
def initialize file, *args
raise SecurityError if file.tainted? && $SAFE > 0
old_initialize file, *args
end
alias :sym :[]
alias :old_call :[]
def [] fun
raise SecurityError if fun.tainted? && $SAFE > 0
old_call fun
end
endIf you are using DL, use Fiddle instead of it.
Credits
Thanks to Christian Hofstaedtler zeha@debian.org for reporting this issue!
History
- Originally published at 2015-12-16 12:00:00 UTC