Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930533 (CVE-2024-27280, CVE-2024-27282) - <dev-lang/ruby-{3.1.5,3.2.4,3.3.3}: Multiple Vulnerabilities
Summary: <dev-lang/ruby-{3.1.5,3.2.4,3.3.3}: Multiple Vulnerabilities
Status: CONFIRMED
Alias: CVE-2024-27280, CVE-2024-27282
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/202...
Whiteboard: A4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-24 04:59 UTC by Hans de Graaff
Modified: 2024-04-27 11:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-04-24 04:59:42 UTC 
CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search

Posted by hsbt on 23 Apr 2024

We have released the Ruby version 3.0.7, 3.1.5, 3.2.4 and 3.3.1 that have a security fix for an arbitrary memory address read vulnerability in Regex search. This vulnerability has been assigned the CVE identifier CVE-2024-27282.
Details

An issue was discovered in Ruby 3.x through 3.3.0.

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.


CVE-2024-27280: Buffer overread vulnerability in StringIO

Posted by hsbt on 21 Mar 2024

We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability. This vulnerability has been assigned the CVE identifier CVE-2024-27280.
Details

An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.

The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.


Note that the upstream bug report also includes CVE-2024-27281. This is handled in bug 927565 since we unbundle rdoc.

Fixed versions:
- ruby 3.1.5
- ruby 3.2.4
- ruby 3.3.1
Comment 1 Larry the Git Cow gentoo-dev 2024-04-24 05:44:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a48f2b84f6339e92e1f5ad8f605a59b28b350ba

commit 2a48f2b84f6339e92e1f5ad8f605a59b28b350ba
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-04-24 05:43:16 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-04-24 05:43:50 +0000

    dev-lang/ruby: add 3.2.4, 3.3.1
    
    Bug: https://bugs.gentoo.org/930533
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest          |   2 +
 dev-lang/ruby/ruby-3.2.4.ebuild | 296 ++++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.3.1.ebuild | 293 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 591 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-04-24 05:46:36 UTC 
Ruby 3.1.5 crashes in its test suite and has broken backports as reported upstream. I expect a 3.1.6 in a few days. No rush here looking at the A4 severity.
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-27 07:46:46 UTC 
Ruby 3.1.5 has been added as well. Given some test failures with MJIT and upstream reports about incompatibilities I think we should wait a bit before adding a stable bug.