CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL

Posted by usa on 16 Dec 2015

There is an unsafe tainted string usage vulnerability in Fiddle and DL. This vulnerability has been assigned the CVE identifier CVE-2015-7551.

Details

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.

Impacted code looks something like this:

handle = Fiddle::Handle.new(dangerous_user_input)

Or:

handle = Fiddle::Handle.new(some_library)
function_pointer = handle[dangerous_user_input]

All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected Versions

• All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle).
• All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648 (DL and Fiddle).
• All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle).
• All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle).
• Ruby 2.3.0 preview 1 and preview 2 (Fiddle).
• prior to trunk revision 53153 (Fiddle).

Workarounds

If you cannot upgrade, the following monkey patch can be applied as a workaround for Fiddle:

class Fiddle::Handle
  alias :old_initialize :initialize

  def initialize file, *args
    raise SecurityError if file.tainted? && $SAFE > 0
    old_initialize file, *args
  end

  alias :sym :[]
  alias :old_call :[]

  def [] fun
    raise SecurityError if fun.tainted? && $SAFE > 0
    old_call fun
  end
end

If you are using DL, use Fiddle instead of it.

Credits

Thanks to Christian Hofstaedtler zeha@debian.org for reporting this issue!

History

• Originally published at 2015-12-16 12:00:00 UTC