Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930533 (CVE-2024-27280, CVE-2024-27282) - <dev-lang/ruby-{3.1.5,3.2.4,3.3.1}: Multiple Vulnerabilities
Summary: <dev-lang/ruby-{3.1.5,3.2.4,3.3.1}: Multiple Vulnerabilities
Alias: CVE-2024-27280, CVE-2024-27282
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A4 [ebuild]
Depends on: 934451
  Show dependency tree
Reported: 2024-04-24 04:59 UTC by Hans de Graaff
Modified: 2024-06-17 06:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-04-24 04:59:42 UTC
CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search

Posted by hsbt on 23 Apr 2024

We have released the Ruby version 3.0.7, 3.1.5, 3.2.4 and 3.3.1 that have a security fix for an arbitrary memory address read vulnerability in Regex search. This vulnerability has been assigned the CVE identifier CVE-2024-27282.

An issue was discovered in Ruby 3.x through 3.3.0.

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

CVE-2024-27280: Buffer overread vulnerability in StringIO

Posted by hsbt on 21 Mar 2024

We have released the StringIO gem version and that have a security fix for a buffer overread vulnerability. This vulnerability has been assigned the CVE identifier CVE-2024-27280.

An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.

The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

Note that the upstream bug report also includes CVE-2024-27281. This is handled in bug 927565 since we unbundle rdoc.

Fixed versions:
- ruby 3.1.5
- ruby 3.2.4
- ruby 3.3.1
Comment 1 Larry the Git Cow gentoo-dev 2024-04-24 05:44:16 UTC
The bug has been referenced in the following commit(s):

commit 2a48f2b84f6339e92e1f5ad8f605a59b28b350ba
Author:     Hans de Graaff <>
AuthorDate: 2024-04-24 05:43:16 +0000
Commit:     Hans de Graaff <>
CommitDate: 2024-04-24 05:43:50 +0000

    dev-lang/ruby: add 3.2.4, 3.3.1
    Signed-off-by: Hans de Graaff <>

 dev-lang/ruby/Manifest          |   2 +
 dev-lang/ruby/ruby-3.2.4.ebuild | 296 ++++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.3.1.ebuild | 293 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 591 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-04-24 05:46:36 UTC
Ruby 3.1.5 crashes in its test suite and has broken backports as reported upstream. I expect a 3.1.6 in a few days. No rush here looking at the A4 severity.
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-27 07:46:46 UTC
Ruby 3.1.5 has been added as well. Given some test failures with MJIT and upstream reports about incompatibilities I think we should wait a bit before adding a stable bug.