CVE-2009-5147
published 2017-03-29CVE-2009-5147: DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
PriorityP340high7.3CVSS 3.0
AVNACLPRNUINSUCLILAL
EPSS
7.77%
93.9th percentile
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.11.3 | — |
| ruby-lang | ruby | <= 2.0.0-p647 | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable code path is in Ruby's DL::dlopen — monitor for dynamic library loading calls that bypass taint checking when $SAFE > 0 ↗
- →The vulnerability was re-introduced in the Fiddle module (ext/fiddle/handle.c) after DL was reimplemented using Fiddle and libffi; detection should also cover Fiddle::Handle usage with tainted strings ↗
- →Upstream fix commit for the regression (CVE-2015-7551 / CVE-2009-5147) is available for patch-level verification ↗
- ·DL module was removed in Ruby 2.2, so the DL::dlopen vector does not apply to Ruby 2.2+; only the Fiddle::Handle vector (CVE-2015-7551 regression) applies there ↗
- ·CVE-2009-5147 was fixed in Ruby 1.9.1-p129 for the DL branch, but was never backported to other branches (1.8, 2.0, 2.1), leaving those versions still vulnerable ↗
- ·Red Hat rated this issue as Low severity and marked all affected RHEL packages as 'Will not fix'; do not rely on OS vendor patches for RHEL 4–7 ↗
CVSS provenance
nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vendor_redhat7.3HIGH
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2017-07-25·CVSS 7.3
CVE-2009-5147 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby DL::dlopen incorrectly handled opening
libraries. An attacker could possibly use this issue to open libraries with
tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)
Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby
OpenSSL extension incorrectly handled hostname wildcard matching. This
issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)
Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly
handled certain crafted strings. An attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. This issue only
applied to Ubuntu 14.04 LTS. (CVE-2015-7551)
It was discovered that Ruby N
Red Hat
ruby: DL:: dlopen could open a library with tainted library name
vendor_redhat·2009-05-11·CVSS 7.3
CVE-2009-5147 [HIGH] CWE-267 ruby: DL:: dlopen could open a library with tainted library name
ruby: DL:: dlopen could open a library with tainted library name
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
Statement: Red Hat Product Security has rated this issue as having Low security
impact. This issue is not currently planned to be addressed in future updates.
For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
Package: ruby193-ruby (CloudForms Management Engine 5) - Will not fix
Package: ruby (Red Hat Enterprise Linux 4) - Will not fix
Package: ruby (Red Hat Enterprise Linux 5) - Will not fix
Package: ruby (Red Hat Enterprise Linux 6) - Will not fix
Package: ruby (Red Hat Enterprise Linux 7) - Will not fix
Pac
Red Hat
ruby: DL:: dlopen could open a library with tainted library name
vendor_redhat·2009-05-11·CVSS 7.3
CVE-2015-7551 [HIGH] CWE-267 ruby: DL:: dlopen could open a library with tainted library name
ruby: DL:: dlopen could open a library with tainted library name
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.
Statement: Red Hat Product Security has rated this issue as having Low security
impact. This issue is not currently planned to be addressed in future updates.
For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/
GHSA
GHSA-m9xr-x5mq-4fp5: The Fiddle::Handle implementation in ext/fiddle/handle
ghsa_unreviewed·2022-05-14·CVSS 7.3
CVE-2015-7551 [HIGH] CWE-20 GHSA-m9xr-x5mq-4fp5: The Fiddle::Handle implementation in ext/fiddle/handle
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.
GHSA
GHSA-mmq8-m72q-qgm4: DL::dlopen in Ruby 1
ghsa_unreviewed·2022-05-02
CVE-2009-5147 [HIGH] CWE-20 GHSA-mmq8-m72q-qgm4: DL::dlopen in Ruby 1
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2017-07-25·CVSS 7.3
CVE-2009-5147 [HIGH] ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
It was discovered that Ruby DL::dlopen incorrectly handled opening
libraries. An attacker could possibly use this issue to open libraries with
tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)
Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby
OpenSSL extension incorrectly handled hostname wildcard matching. This
issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)
Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly
handled certain crafted strings. An attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. This issue only
applied to Ubuntu 14.04 LTS. (CVE-2015-7551)
It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequ
OSV
CVE-2009-5147: DL::dlopen in Ruby 1
osv·2017-03-29·CVSS 7.3
CVE-2009-5147 [HIGH] CVE-2009-5147: DL::dlopen in Ruby 1
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
OSV
CVE-2015-7551: The Fiddle::Handle implementation in ext/fiddle/handle
osv·2016-03-23·CVSS 7.3
CVE-2015-7551 [HIGH] CVE-2015-7551: The Fiddle::Handle implementation in ext/fiddle/handle
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
bugzilla·2015-07-31·CVSS 7.3
CVE-2009-5147 [HIGH] CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
DL::dlopen could open a library with tainted library name even if $SAFE > 0. This vulnerability affects Ruby versions 1.8, 1.9, 2.1, 2.2.
Upstream patch:
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
Additional information and CVE assignment:
http://seclists.org/oss-sec/2015/q3/222
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1248937]
---
(In reply to Adam Mariš from comment #0)
> DL::dlopen could open a library with tainted library name even if $SAFE > 0.
> This vulnerability affects Ruby versions 1.8, 1.9, 2.1, 2.2.
This is hardly true, since DL was removed from Ruby 2.2:
https://github.com/ruby/ruby/commit/07308c4d30b8c5
Bugzilla
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name [fedora-all]
bugzilla·2015-07-31·CVSS 7.3
CVE-2009-5147 [HIGH] CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name [fedora-all]
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mult
http://seclists.org/oss-sec/2015/q3/222http://www.securityfocus.com/bid/76060https://access.redhat.com/errata/RHSA-2018:0583https://bugzilla.redhat.com/show_bug.cgi?id=1248935https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215bhttps://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/http://seclists.org/oss-sec/2015/q3/222http://www.securityfocus.com/bid/76060https://access.redhat.com/errata/RHSA-2018:0583https://bugzilla.redhat.com/show_bug.cgi?id=1248935https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215bhttps://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
2017-03-29
Published