Ruby 'dl/handle.c' Security Bypass Vulnerability

Ruby is prone to a security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.

Information

Bugtraq ID: 76060
Class: Design Error
CVE: CVE-2009-5147
CVE-2015-7551

Remote: Yes
Local: No
Published: Jul 28 2015 12:00AM
Credit: Reed Loden
Vulnerable: Yukihiro Matsumoto Ruby 1.9.1
Yukihiro Matsumoto Ruby 1.9 -2
Yukihiro Matsumoto Ruby 1.9 -1
Yukihiro Matsumoto Ruby 1.9
Yukihiro Matsumoto Ruby 1.9.0-3
Oracle Solaris 11.3
openSUSE Leap 42.2
openSUSE Leap 42.1
Apple Mac Os X 10.11.3
Apple Mac Os X 10.11.2
Apple Mac Os X 10.11.1
Apple Mac Os X 10.11

Not Vulnerable: Yukihiro Matsumoto Ruby 1.9.1-p129
Apple Mac OS X Security Update 2016-002 0
Apple Mac Os X 10.11.4

References:

• CVE request: Two ruby 'dl' vulnerabilities fixed in ruby-1.9.1-p129 (Reed Loden)
  
• * ext/dl/dl.c (rb_dlhandle_initialize): prohibits DL::dlopen (Ruby)
  
• Ruby 1.9.1-p129 released (Ruby)
  
• Ruby Homepage (Yukihiro Matsumoto)
  
• Oracle Solaris Third Party Bulletin - April 2016 (Oracle)
  

Source: www.securityfocus.com