CVE-2009-5147

NameCVE-2009-5147
DescriptionDL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-299-1, DLA-300-1
NVD severityhigh (attack range: remote)
Debian Bugs796344

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby1.8 (PTS)wheezy1.8.7.358-7.1+deb7u3vulnerable
wheezy (security)1.8.7.358-7.1+deb7u4vulnerable
ruby1.9.1 (PTS)wheezy1.9.3.194-8.1+deb7u5vulnerable
wheezy (security)1.9.3.194-8.1+deb7u6vulnerable
ruby2.1 (PTS)jessie2.1.5-2+deb8u3fixed
jessie (security)2.1.5-2+deb8u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.8source(unstable)(unfixed)high
ruby1.8sourcesqueeze1.8.7.302-2squeeze5highDLA-299-1
ruby1.9.1source(unstable)(unfixed)high
ruby1.9.1sourcesqueeze1.9.2.0-2+deb6u7highDLA-300-1
ruby2.0source(unstable)(unfixed)high
ruby2.1source(unstable)(unfixed)high796344
ruby2.1sourcejessie2.1.5-2+deb8u3high
ruby2.2source(unstable)(not affected)

Notes

[wheezy] - ruby1.8 <no-dsa> (Minor issue)
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue)
- ruby2.2 <not-affected> (Does not contain DL, cf note and corresponding CVE-2015-7551)
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
Although the is upstream commit mentioned, the corresponding change does not
seem to be contained in e.g. latest 1.9.1 and 2.1. E.g.
https://sources.debian.net/src/ruby2.1/2.1.5-4/ext/dl/handle.c/#L120 does not
contain the change.
In https://github.com/ruby/ruby/commit/07308c4d30b8c5260e5366c8eed2abf054d86fe7
Discussion http://seclists.org/oss-sec/2015/q3/220
DL has been replaced in 2.2 with Fiddle which has the same problem according to maintainer.

Search for package or bug name: Reporting problems