Bugzilla – Bug 959495
VUL-0: CVE-2015-7551: ruby19,ruby: Unsafe tainted string usage in Fiddle and DL
Last modified: 2017-10-26 05:40:37 UTC
CVE-2015-7551 https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ There is an unsafe tainted string usage vulnerability in Fiddle and DL. This vulnerability has been assigned the CVE identifier CVE-2015-7551. Details There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi. And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable. Impacted code looks something like this: handle = Fiddle::Handle.new(dangerous_user_input) Or: handle = Fiddle::Handle.new(some_library) function_pointer = handle[dangerous_user_input] All users running an affected release should either upgrade or use one of the work arounds immediately. Affected Versions All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle). All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648 (DL and Fiddle). All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle). All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle). Ruby 2.3.0 preview 1 and preview 2 (Fiddle). prior to trunk revision 53153 (Fiddle). Workarounds If you cannot upgrade, the following monkey patch can be applied as a workaround for Fiddle: class Fiddle::Handle alias :old_initialize :initialize def initialize file, *args raise SecurityError if file.tainted? && $SAFE > 0 old_initialize file, *args end alias :sym :[] alias :old_call :[] def [] fun raise SecurityError if fun.tainted? && $SAFE > 0 old_call fun end end If you are using DL, use Fiddle instead of it. Credits Thanks to Christian Hofstaedtler zeha@debian.org for reporting this issue! History Originally published at 2015-12-16 12:00:00 UTC
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Dec. 24, 2015". When done, reassign the bug to "security-team@suse.de". /update/121177/.
bugbot adjusting priority
ruby19 is not affected. Fiddle::Handle was copied from DL::Handle in commit 4600cf725a86ce31266153647ae5aa1197b1215b which is not included in ruby_1_9_3 branch. DL::Handle was already patched with https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b which had already been applied to ruby19 RPM when fixing CVE-2009-5147 See: https://bugzilla.novell.com/show_bug.cgi?id=939860
do we have a POC for this?
(In reply to Marcus Rückert from comment #4) > do we have a POC for this? Yes: https://github.com/vpereira/CVE-2009-5147 File foo2.rb abuses the CVE-2015-7551
openSUSE-SU-2017:0933-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1018808,959495 CVE References: CVE-2015-7551,CVE-2016-2339 Sources used: openSUSE Leap 42.2 (src): ruby2.2-2.2.6-6.3.1, ruby2.3-2.3.3-2.3.1 openSUSE Leap 42.1 (src): ruby2.2-2.2.6-6.1
SUSE-SU-2017:0948-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 926974,959495,986630 CVE References: CVE-2015-1855,CVE-2015-7551 Sources used: SUSE Webyast 1.3 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Studio Onsite 1.3 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Linux Enterprise Server 11-SP4 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ruby-1.8.7.p357-0.9.19.1 SUSE Lifecycle Management Server 1.3 (src): ruby-1.8.7.p357-0.9.19.1
SUSE-SU-2017:1067-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630 CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Server 12-SP1 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ruby2.1-2.1.9-15.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ruby2.1-2.1.9-15.1 OpenStack Cloud Magnum Orchestration 7 (src): ruby2.1-2.1.9-15.1
openSUSE-SU-2017:1128-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1014863,1018808,887877,909695,926974,936032,959495,986630 CVE References: CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Sources used: openSUSE Leap 42.2 (src): ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1 (src): ruby2.1-2.1.9-10.2
released