Описание
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby1.8 | removed | package | ||
| ruby1.8 | no-dsa | wheezy | package | |
| ruby1.9.1 | removed | package | ||
| ruby1.9.1 | no-dsa | wheezy | package | |
| ruby2.0 | removed | package | ||
| ruby2.1 | removed | package | ||
| ruby2.1 | fixed | 2.1.5-2+deb8u3 | jessie | package |
| ruby2.2 | not-affected | package |
Примечания
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
Although the is upstream commit mentioned, the corresponding change does not
seem to be contained in e.g. latest 1.9.1 and 2.1. E.g.
https://sources.debian.org/src/ruby2.1/2.1.5-4/ext/dl/handle.c/#L120 does not
contain the change.
In https://github.com/ruby/ruby/commit/07308c4d30b8c5260e5366c8eed2abf054d86fe7
Discussion http://seclists.org/oss-sec/2015/q3/220
DL has been replaced in 2.2 with Fiddle which has the same problem according to maintainer.
EPSS
Связанные уязвимости
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
EPSS