CVE-2015-7551

Published: Mar 24, 2016Modified: May 6, 2026

8.4

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.5 / Impact: 5.9

Source: NVD

Description

The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.

Affected (14)

Products: Apple: Mac Os X · Ruby Lang: Ruby

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apple Mac Os X	Up to 10.11.3

Configuration B

13 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Up to 2.0.0-p647
Ruby Lang Ruby	Version 2.1.0
Ruby Lang Ruby	Version 2.1.1
Ruby Lang Ruby	Version 2.1.2
Ruby Lang Ruby	Version 2.1.3
Ruby Lang Ruby	Version 2.1.4
Ruby Lang Ruby	Version 2.1.5
Ruby Lang Ruby	Version 2.1.6
Ruby Lang Ruby	Version 2.1.7
Ruby Lang Ruby	Version 2.2.0
Ruby Lang Ruby	Version 2.2.1
Ruby Lang Ruby	Version 2.2.2
Ruby Lang Ruby	Version 2.2.3

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (22)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344

Source: secalert@redhat.com

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796551

Source: secalert@redhat.com

http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/76060

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2018:0583

Source: secalert@redhat.com

https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a

Source: secalert@redhat.com

https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7551.html

Source: secalert@redhat.com

https://puppet.com/security/cve/ruby-dec-2015-security-fixes

Source: secalert@redhat.com

https://support.apple.com/HT206167

Source: secalert@redhat.com

Vendor Advisory

https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/

Source: secalert@redhat.com

PatchVendor Advisory

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344

Source: af854a3a-2127-422b-91ae-364da2661108

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796551

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/76060

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2018:0583

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a

Source: af854a3a-2127-422b-91ae-364da2661108

https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7551.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://puppet.com/security/cve/ruby-dec-2015-security-fixes

Source: af854a3a-2127-422b-91ae-364da2661108

https://support.apple.com/HT206167

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.