Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838073 (CVE-2022-28738, CVE-2022-28739) - <dev-lang/ruby-{2.6.10, 2.7.6, 3.0.4, 3.1.2}: multiple vulnerabilities (CVE-2022-{28739,28738})
Summary: <dev-lang/ruby-{2.6.10, 2.7.6, 3.0.4, 3.1.2}: multiple vulnerabilities (CVE-2...
Status: IN_PROGRESS
Alias: CVE-2022-28738, CVE-2022-28739
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 838133
Blocks:
  Show dependency tree
 
Reported: 2022-04-12 13:35 UTC by Hans de Graaff
Modified: 2022-05-01 15:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2022-04-12 13:35:31 UTC
CVE-2022-28739: Buffer overrun in String-to-Float conversion

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This vulnerability has been assigned the CVE identifier CVE-2022-28739. We strongly recommend upgrading Ruby.
Details

Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.

Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.

Affected versions

    ruby 2.6.9 or prior
    ruby 2.7.5 or prior
    ruby 3.0.3 or prior
    ruby 3.1.1 or prior



CVE-2022-28738: Double free in Regexp compilation

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738. We strongly recommend upgrading Ruby.
Details

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

Please update Ruby to 3.0.4, or 3.1.2.
Affected versions

    ruby 3.0.3 or prior
    ruby 3.1.1 or prior

Note that ruby 2.6 series and 2.7 series are not affected.
Comment 1 Larry the Git Cow gentoo-dev 2022-04-12 14:09:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb184b3d7b32297d7534101b691e85320c35ec97

commit fb184b3d7b32297d7534101b691e85320c35ec97
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2022-04-12 14:08:03 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2022-04-12 14:09:03 +0000

    dev-lang/ruby: add 2.6.10, 2.7.6, 3.0.4, 3.1.2
    
    Bug: https://bugs.gentoo.org/838073
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest           |   4 +
 dev-lang/ruby/ruby-2.6.10.ebuild | 258 +++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.7.6.ebuild  | 272 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.0.4.ebuild  | 267 ++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.1.2.ebuild  | 267 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 1068 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-12 14:12:40 UTC
Thanks! Please stable when ready.
Comment 3 Hans de Graaff gentoo-dev 2022-05-01 07:40:09 UTC
Cleanup done.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-01 15:39:30 UTC
Thanks!