---
engine: ruby
cve: 2015-7551
url: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
title: Unsafe tainted string usage in Fiddle and DL
date: 2015-12-16
description: |
  There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was
  originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL
  was reimplemented using Fiddle and libffi.
  And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other
  branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.
patched_versions:
  - ~> 2.0.0.648
  - ~> 2.1.8
  - ~> 2.2.4
  - ">= 2.3.0"
unaffected_versions:
  - ~> 1.9.1.129