CVE-2009-5147

NameCVE-2009-5147
DescriptionDL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-299-1, DLA-300-1
Debian Bugs796344

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.1 (PTS)jessie, jessie (lts)2.1.5-2+deb8u14fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.8sourcesqueeze1.8.7.302-2squeeze5DLA-299-1
ruby1.8source(unstable)(unfixed)
ruby1.9.1sourcesqueeze1.9.2.0-2+deb6u7DLA-300-1
ruby1.9.1source(unstable)(unfixed)
ruby2.0source(unstable)(unfixed)
ruby2.1sourcejessie2.1.5-2+deb8u3
ruby2.1source(unstable)(unfixed)796344
ruby2.2source(unstable)(not affected)

Notes

[wheezy] - ruby1.8 <no-dsa> (Minor issue)
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue)
- ruby2.2 <not-affected> (Does not contain DL, cf note and corresponding CVE-2015-7551)
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
Although the is upstream commit mentioned, the corresponding change does not
seem to be contained in e.g. latest 1.9.1 and 2.1. E.g.
https://sources.debian.org/src/ruby2.1/2.1.5-4/ext/dl/handle.c/#L120 does not
contain the change.
In https://github.com/ruby/ruby/commit/07308c4d30b8c5260e5366c8eed2abf054d86fe7
Discussion http://seclists.org/oss-sec/2015/q3/220
DL has been replaced in 2.2 with Fiddle which has the same problem according to maintainer.
Search for package or bug name: Reporting problems