The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.

It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS.
(CVE-2009-5147)

Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching.
This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)

Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551)

It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096)

Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-2337)

It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-2339)

It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This ruby2.1 update to version 2.1.9 fixes the following issues :

Security issues fixed :

  - CVE-2016-2339: heap overflow vulnerability in the     Fiddle::Function.new'initialize' (bsc#1018808)

  - CVE-2015-7551: Unsafe tainted string usage in Fiddle and     DL (bsc#959495)

  - CVE-2015-3900: hostname validation does not work when     fetching gems or making API requests (bsc#936032)

  - CVE-2015-1855: Ruby'a OpenSSL extension suffers a     vulnerability through overly permissive matching of     hostnames (bsc#926974)

  - CVE-2014-4975: off-by-one stack-based buffer overflow in     the encodes() function (bsc#887877)

Bugfixes :

  - SUSEconnect doesn't handle domain wildcards in no_proxy     environment variable properly (bsc#1014863)

  - Segmentation fault after pack & ioctl & unpack     (bsc#909695)

  - Ruby:HTTP Header injection in 'net/http' (bsc#986630)

ChangeLog :

- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog

This update was imported from the SUSE:SLE-12:Update update project.

This ruby2.1 update to version 2.1.9 fixes the following issues:
Security issues fixed :

  - CVE-2016-2339: heap overflow vulnerability in the     Fiddle::Function.new'initialize' (bsc#1018808)

  - CVE-2015-7551: Unsafe tainted string usage in Fiddle and     DL (bsc#959495)

  - CVE-2015-3900: hostname validation does not work when     fetching gems or making API requests (bsc#936032)

  - CVE-2015-1855: Ruby'a OpenSSL extension suffers a     vulnerability through overly permissive matching of     hostnames (bsc#926974)

  - CVE-2014-4975: off-by-one stack-based buffer overflow in     the encodes() function (bsc#887877) Bugfixes :

  - SUSEconnect doesn't handle domain wildcards in no_proxy     environment variable properly (bsc#1014863)

  - Segmentation fault after pack & ioctl & unpack     (bsc#909695)

  - Ruby:HTTP Header injection in 'net/http' (bsc#986630)     ChangeLog :

- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ruby fixes the following issues: Secuirty issues fixed :

  - CVE-2015-1855: Ruby OpenSSL Hostname Verification     (bsc#926974)

  - CVE-2015-7551: Unsafe tainted string usage in Fiddle and     DL (bsc#959495) Bugfixes :

  - fix small mistake in the backport for (bsc#986630)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ruby2.2, ruby2.3 fixes the following issues :

Security issues fixed :

  - CVE-2016-2339: heap overflow vulnerability in the     Fiddle::Function.new'initialize' (boo#1018808)

  - CVE-2015-7551: Unsafe tainted string usage in Fiddle and     DL (boo#959495)

Detailed ChangeLog :

- http://svn.ruby-lang.org/repos/ruby/tags/v2_2_6/ChangeLog

- http://svn.ruby-lang.org/repos/ruby/tags/v2_3_3/ChangeLog

The remote host is running a version of Mac OS X version 10.11.x prior to 10.11.4 and is affected by multiple vulnerabilities in the following components :

 - apache_mod_php
 - AppleRAID
 - AppleUSBNetworking
 - Bluetooth
 - Carbon
 - dyld
 - FontParser
 - HTTPProtocol
 - Intel Graphics Driver
 - IOFireWireFamily
 - IOGraphics
 - IOHIDFamily
 - IOUSBFamily
 - Kernel
 - libxml2
 - Messages
 - NVIDIA Graphics Drivers
 - OpenSSH
 - OpenSSL
 - Python
 - QuickTime
 - Reminders
 - Ruby
 - Security
 - Tcl
 - TrueTypeScaler
 - Wi-Fi

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.4. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - AppleRAID
  - AppleUSBNetworking
  - Bluetooth
  - Carbon
  - dyld
  - FontParser
  - HTTPProtocol
  - Intel Graphics Driver
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - IOUSBFamily
  - Kernel
  - libxml2
  - Messages
  - NVIDIA Graphics Drivers
  - OpenSSH
  - OpenSSL
  - Python
  - QuickTime
  - Reminders
  - Ruby
  - Security
  - Tcl
  - TrueTypeScaler
  - Wi-Fi

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Update to Ruby 2.2.4 including security fix for CVE-2009-5147 and CVE-2015-7551.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

DL::dlopen could open a library with tainted library name even if $SAFE > 0.

Ruby developer reports :

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.

ID	Name	Product	Family	Severity
101974	Ubuntu 14.04 LTS / 16.04 LTS : Ruby vulnerabilities (USN-3365-1)	Nessus	Ubuntu Local Security Checks	critical
99753	openSUSE Security Update : ruby2.1 (openSUSE-2017-527)	Nessus	SuSE Local Security Checks	critical
99578	SUSE SLED12 / SLES12 Security Update : ruby2.1 (SUSE-SU-2017:1067-1)	Nessus	SuSE Local Security Checks	critical
99242	SUSE SLES11 Security Update : ruby (SUSE-SU-2017:0948-1)	Nessus	SuSE Local Security Checks	high
99208	openSUSE Security Update : ruby2.2 / ruby2.3 (openSUSE-2017-435)	Nessus	SuSE Local Security Checks	critical
9327	Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
90096	Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
89454	Fedora 23 : ruby-2.2.4-47.fc23 (2015-eef21b972e)	Nessus	Fedora Local Security Checks	high
89397	Fedora 22 : ruby-2.2.4-47.fc22 (2015-c4409eb73a)	Nessus	Fedora Local Security Checks	high
87966	Amazon Linux AMI : ruby19 / ruby20,ruby21,ruby22 (ALAS-2016-632)	Nessus	Amazon Linux Local Security Checks	high
87610	FreeBSD : Ruby -- unsafe tainted string vulnerability (3b50881d-1860-4721-aab1-503290e23f6c)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2015-7551

high

Tenable Plugins

critical

critical

critical

high

critical

critical

critical

high

high

high

high