Bug 2075685 (CVE-2022-28738)

Summary: CVE-2022-28738 Ruby: Double free in Regexp compilation
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jaruga, jorton, jprokop, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vondruch, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 3.0.4, ruby 3.1.2 Doc Type: If docs needed, set a value
Doc Text:
A double-free vulnerability was found in Ruby. The issue occurs during Regexp compilation. This flaw allows an attacker to create a Regexp object with a crafted source string that could cause the same memory to be freed twice.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-29 15:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2078342, 2078343, 2078344, 2078345, 2109430, 2109434, 2123285, 2128624    
Bug Blocks: 2075682    

Description Sage McTaggart 2022-04-14 21:34:16 UTC 
VE-2022-28738: Double free in Regexp compilation

Posted by mame on 12 Apr 2022

A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738. We strongly recommend upgrading Ruby.
Details

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

Please update Ruby to 3.0.4, or 3.1.2.
Affected versions

    ruby 3.0.3 or prior
    ruby 3.1.1 or prior

Note that ruby 2.6 series and 2.7 series are not affected.
Credits

Thanks to piao for discovering this issue.
History

    Originally published at 2022-04-12 12:00:00 (UTC)
Comment 1 Sandipan Roy 2022-04-25 04:59:17 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078342]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078343]
Comment 5 errata-xmlrpc 2022-09-13 09:45:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450
Comment 6 errata-xmlrpc 2022-09-20 13:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6585 https://access.redhat.com/errata/RHSA-2022:6585
Comment 7 errata-xmlrpc 2022-10-11 07:31:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855
Comment 8 Product Security DevOps Team 2022-11-29 15:27:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28738