Opened 9 years ago
Closed 9 years ago
#7262 closed enhancement (fixed)
ruby-2.2.4
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.9 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by ) ¶
This is a Security Release ¶
CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
Posted by usa on 16 Dec 2015
There is an unsafe tainted string usage vulnerability in Fiddle and DL.
This vulnerability has been assigned the CVE identifier CVE-2015-7551.
Details
There is an unsafe tainted string vulnerability in Fiddle and DL. This
issue was originally reported and fixed with CVE-2009-5147 in DL, but
reappeared after DL was reimplemented using Fiddle and libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at
other branches, then rubies which bundled DL except Ruby 1.9.1 are still
vulnerable.
Impacted code looks something like this:
handle = Fiddle::Handle.new(dangerous_user_input)
Or:
handle = Fiddle::Handle.new(some_library)
function_pointer = handle[dangerous_user_input]
All users running an affected release should either upgrade or use one
of the work arounds immediately.
Affected Versions
▪ All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle).
▪ All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648
(DL and Fiddle).
▪ All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle).
▪ All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle).
▪ Ruby 2.3.0 preview 1 and preview 2 (Fiddle).
▪ prior to trunk revision 53153 (Fiddle).
Workarounds
If you cannot upgrade, the following monkey patch can be applied as a
workaround for Fiddle:
class Fiddle::Handle
alias :old_initialize :initialize
def initialize file, *args
raise SecurityError if file.tainted? && $SAFE > 0
old_initialize file, *args
end
alias :sym :[]
alias :old_call :[]
def [] fun
raise SecurityError if fun.tainted? && $SAFE > 0
old_call fun
end
end
If you are using DL, use Fiddle instead of it.
Credits
Thanks to Christian Hofstaedtler zeha@debian.org for reporting this
issue!
History
Originally published at 2015-12-16 12:00:00 UTC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7551
http://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.4.tar.xz
https://www.ruby-lang.org/en/news/2015/12/16/ruby-2-2-4-released/
SHA1: 9216cf34df7fd5ce8059a6403951d6d47964442a
Ruby 2.2.4 Released
Posted by nagachika on 16 Dec 2015
Ruby 2.2.4 has been released.
This release includes a security fix for Fiddle extension. Please view
the topic below for more details.
CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
There are also some bugfixes. See ChangeLog for details.
Change History (3)
comment:1 by , 9 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Ken, LibreOffice-5.0.4 is currently, broken with boost-1.60.0.
Fixed at r16741.