Patches from upstream to fix CVE-2015-7551.
See:
for more details.
Based on the ruby 2.1 commit at:
--- ruby-2.1.6/ext/fiddle/handle.c.orig 2016-04-06 05:46:29.137190481 -0700
+++ ruby-2.1.6/ext/fiddle/handle.c 2016-04-06 06:15:33.342534009 -0700
@@ -1,6 +1,8 @@
#include <ruby.h>
#include <fiddle.h>
+#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v))
+
VALUE rb_cHandle;
struct dl_handle {
@@ -143,11 +145,11 @@
cflag = RTLD_LAZY | RTLD_GLOBAL;
break;
case 1:
- clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+ clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
cflag = RTLD_LAZY | RTLD_GLOBAL;
break;
case 2:
- clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+ clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
cflag = NUM2INT(flag);
break;
default:
@@ -263,7 +265,7 @@
return PTR2NUM(fiddle_handle);
}
-static VALUE fiddle_handle_sym(void *handle, const char *symbol);
+static VALUE fiddle_handle_sym(void *handle, VALUE symbol);
/*
* Document-method: sym
@@ -282,7 +284,7 @@
rb_raise(rb_eFiddleError, "closed handle");
}
- return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym));
+ return fiddle_handle_sym(fiddle_handle->ptr, sym);
}
#ifndef RTLD_NEXT
@@ -305,11 +307,11 @@
static VALUE
rb_fiddle_handle_s_sym(VALUE self, VALUE sym)
{
- return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym));
+ return fiddle_handle_sym(RTLD_NEXT, sym);
}
static VALUE
-fiddle_handle_sym(void *handle, const char *name)
+fiddle_handle_sym(void *handle, VALUE symbol)
{
#if defined(HAVE_DLERROR)
const char *err;
@@ -318,6 +320,7 @@
# define CHECK_DLERROR
#endif
void (*func)();
+ const char *name = SafeStringValueCStr(symbol);
rb_secure(2);
#ifdef HAVE_DLERROR
@@ -367,7 +370,7 @@
}
#endif
if( !func ){
- rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name);
+ rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol);
}
return PTR2NUM(func);
--- ruby-2.1.6/test/fiddle/test_handle.rb.orig 2016-04-06 05:48:53.672048772 -0700
+++ ruby-2.1.6/test/fiddle/test_handle.rb 2016-04-06 05:49:32.100668554 -0700
@@ -10,6 +10,23 @@
include Test::Unit::Assertions
+ def test_safe_handle_open
+ t = Thread.new do
+ $SAFE = 1
+ Fiddle::Handle.new(LIBC_SO.taint)
+ end
+ assert_raise(SecurityError) { t.value }
+ end
+
+ def test_safe_function_lookup
+ t = Thread.new do
+ h = Fiddle::Handle.new(LIBC_SO)
+ $SAFE = 1
+ h["qsort".taint]
+ end
+ assert_raise(SecurityError) { t.value }
+ end
+
def test_to_i
handle = Fiddle::Handle.new(LIBC_SO)
assert_kind_of Integer, handle.to_i