There is an unsafe tainted string usage vulnerability in Fiddle and DL.
This vulnerability has been assigned the CVE identifier
There is an unsafe tainted string vulnerability in Fiddle and DL.
This issue was originally reported and fixed with CVE-2009-5147 in DL,
but reappeared after DL was reimplemented using Fiddle and libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1,
but not fixed at other branches, then rubies which bundled DL
except Ruby 1.9.1 are still vulnerable.
Impacted code looks something like this:
All users running an affected release should either upgrade or use one of
the workarounds immediately.
- All patch releases of Ruby 1.9.2 and Ruby 1.9.3 (DL and Fiddle).
- All patch releases of Ruby 2.0.0 prior to Ruby 2.0.0 patchlevel 648 (DL and Fiddle).
- All versions of Ruby 2.1 prior to Ruby 2.1.8 (DL and Fiddle).
- All versions of Ruby 2.2 prior to Ruby 2.2.4 (Fiddle).
- Ruby 2.3.0 preview 1 and preview 2 (Fiddle).
- prior to trunk revision 53153 (Fiddle).
If you cannot upgrade, the following monkey patch can be applied as a
workaround for Fiddle:
If you are using DL, use Fiddle instead of it.
Thanks to Christian Hofstaedtler firstname.lastname@example.org for reporting this issue!
- Originally published at 2015-12-16 12:00:00 UTC
Posted by usa on 16 Dec 2015Read more at the source