CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search Posted by hsbt on 23 Apr 2024 We have released the Ruby version 3.0.7, 3.1.5, 3.2.4 and 3.3.1 that have a security fix for an arbitrary memory address read vulnerability in Regex search. This vulnerability has been assigned the CVE identifier CVE-2024-27282. Details An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. CVE-2024-27280: Buffer overread vulnerability in StringIO Posted by hsbt on 21 Mar 2024 We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability. This vulnerability has been assigned the CVE identifier CVE-2024-27280. Details An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. Note that the upstream bug report also includes CVE-2024-27281. This is handled in bug 927565 since we unbundle rdoc. Fixed versions: - ruby 3.1.5 - ruby 3.2.4 - ruby 3.3.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a48f2b84f6339e92e1f5ad8f605a59b28b350ba commit 2a48f2b84f6339e92e1f5ad8f605a59b28b350ba Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-04-24 05:43:16 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-04-24 05:43:50 +0000 dev-lang/ruby: add 3.2.4, 3.3.1 Bug: https://bugs.gentoo.org/930533 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-lang/ruby/Manifest | 2 + dev-lang/ruby/ruby-3.2.4.ebuild | 296 ++++++++++++++++++++++++++++++++++++++++ dev-lang/ruby/ruby-3.3.1.ebuild | 293 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 591 insertions(+)
Ruby 3.1.5 crashes in its test suite and has broken backports as reported upstream. I expect a 3.1.6 in a few days. No rush here looking at the A4 severity.
Ruby 3.1.5 has been added as well. Given some test failures with MJIT and upstream reports about incompatibilities I think we should wait a bit before adding a stable bug.