| Name | CVE-2009-5147 |
| Description | DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-299-1, DLA-300-1 |
| Debian Bugs | 796344 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ruby1.8 | source | squeeze | 1.8.7.302-2squeeze5 | DLA-299-1 | ||
| ruby1.8 | source | (unstable) | (unfixed) | |||
| ruby1.9.1 | source | squeeze | 1.9.2.0-2+deb6u7 | DLA-300-1 | ||
| ruby1.9.1 | source | (unstable) | (unfixed) | |||
| ruby2.0 | source | (unstable) | (unfixed) | |||
| ruby2.1 | source | jessie | 2.1.5-2+deb8u3 | |||
| ruby2.1 | source | (unstable) | (unfixed) | 796344 | ||
| ruby2.2 | source | (unstable) | (not affected) |
[wheezy] - ruby1.8 <no-dsa> (Minor issue)
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue)
- ruby2.2 <not-affected> (Does not contain DL, cf note and corresponding CVE-2015-7551)
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
Although the is upstream commit mentioned, the corresponding change does not
seem to be contained in e.g. latest 1.9.1 and 2.1. E.g.
https://sources.debian.org/src/ruby2.1/2.1.5-4/ext/dl/handle.c/#L120 does not
contain the change.
In https://github.com/ruby/ruby/commit/07308c4d30b8c5260e5366c8eed2abf054d86fe7
Discussion http://seclists.org/oss-sec/2015/q3/220
DL has been replaced in 2.2 with Fiddle which has the same problem according to maintainer.