CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL

There is an unsafe tainted string usage vulnerability in Fiddle and DL. This vulnerability has been assigned the CVE identifier CVE-2015-7551.

Details

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.

Impacted code looks something like this:

handle = Fiddle::Handle.new(dangerous_user_input)

Or:

handle = Fiddle::Handle.new(some_library)
function_pointer = handle[dangerous_user_input]

All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected Versions

  • All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle).
  • All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648 (DL and Fiddle).
  • All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle).
  • All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle).
  • Ruby 2.3.0 preview 1 and preview 2 (Fiddle).
  • prior to trunk revision 53153 (Fiddle).

Workarounds

If you cannot upgrade, the following monkey patch can be applied as a workaround for Fiddle:

class Fiddle::Handle
  alias :old_initialize :initialize

  def initialize file, *args
    raise SecurityError if file.tainted? && $SAFE > 0
    old_initialize file, *args
  end

  alias :sym :[]
  alias :old_call :[]

  def [] fun
    raise SecurityError if fun.tainted? && $SAFE > 0
    old_call fun
  end
end

If you are using DL, use Fiddle instead of it.

Credits

Thanks to Christian Hofstaedtler zeha@debian.org for reporting this issue!

History

  • Originally published at 2015-12-16 12:00:00 UTC