Bug 2075687 (CVE-2022-28739) - CVE-2022-28739 ruby: Buffer overrun in String-to-Float conversion
Summary: CVE-2022-28739 ruby: Buffer overrun in String-to-Float conversion
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-28739
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2078346 2078347 2078348 2078349 2078350 2078351 2078352 2078353 2078354 2078355 2078356 2078357 2091008 2109425 2109429 2109433 2123288 2123289 2128623 2128630
Blocks: 2075682
TreeView+ depends on / blocked
 
Reported: 2022-04-14 21:37 UTC by Sage McTaggart
Modified: 2023-11-14 15:18 UTC (History)
13 users (show)

Fixed In Version: Ruby 2.6.10, Ruby 2.7.6, Ruby 3.0.4, Ruby 3.1.2
Doc Type: If docs needed, set a value
Doc Text:
A buffer overrun vulnerability was found in Ruby. The issue occurs in a conversion algorithm from a String to a Float that causes process termination due to a segmentation fault, but under limited circumstances. This flaw may cause an illegal memory read.
Clone Of:
Environment:
Last Closed: 2022-07-01 01:40:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5338 0 None None None 2022-06-28 15:16:49 UTC
Red Hat Product Errata RHSA-2022:6447 0 None None None 2022-09-13 09:44:02 UTC
Red Hat Product Errata RHSA-2022:6450 0 None None None 2022-09-13 09:45:13 UTC
Red Hat Product Errata RHSA-2022:6585 0 None None None 2022-09-20 13:42:49 UTC
Red Hat Product Errata RHSA-2022:6855 0 None None None 2022-10-11 07:31:37 UTC
Red Hat Product Errata RHSA-2022:6856 0 None None None 2022-10-11 07:32:56 UTC
Red Hat Product Errata RHSA-2023:7025 0 None None None 2023-11-14 15:18:44 UTC

Description Sage McTaggart 2022-04-14 21:37:04 UTC
CVE-2022-28739: Buffer overrun in String-to-Float conversion

Posted by mame on 12 Apr 2022

A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This vulnerability has been assigned the CVE identifier CVE-2022-28739. We strongly recommend upgrading Ruby.

Comment 1 Sandipan Roy 2022-04-25 05:05:01 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078346]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078347]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078348]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078349]


Created ruby:3.0/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078350]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2078351]

Comment 4 errata-xmlrpc 2022-06-28 15:16:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5338 https://access.redhat.com/errata/RHSA-2022:5338

Comment 5 Product Security DevOps Team 2022-07-01 01:40:17 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28739

Comment 7 errata-xmlrpc 2022-09-13 09:44:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447

Comment 8 errata-xmlrpc 2022-09-13 09:45:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450

Comment 9 errata-xmlrpc 2022-09-20 13:42:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6585 https://access.redhat.com/errata/RHSA-2022:6585

Comment 10 errata-xmlrpc 2022-10-11 07:31:35 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855

Comment 11 errata-xmlrpc 2022-10-11 07:32:53 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856

Comment 12 errata-xmlrpc 2023-11-14 15:18:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7025 https://access.redhat.com/errata/RHSA-2023:7025


Note You need to log in before you can comment on or make changes to this bug.