Posted by usa on 16 Dec 2015
There is an unsafe tainted string usage vulnerability in Fiddle and DL. This vulnerability has been assigned the CVE identifier CVE-2015-7551.
There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.
Impacted code looks something like this:
All users running an affected release should either upgrade or use one of the workarounds immediately.
- All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle).
- All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648 (DL and Fiddle).
- All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle).
- All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle).
- Ruby 2.3.0 preview 1 and preview 2 (Fiddle).
- prior to trunk revision 53153 (Fiddle).
If you cannot upgrade, the following monkey patch can be applied as a workaround for Fiddle:
If you are using DL, use Fiddle instead of it.
Thanks to Christian Hofstaedtler firstname.lastname@example.org for reporting this issue!
- Originally published at 2015-12-16 12:00:00 UTC