2276810 – (CVE-2024-27282) CVE-2024-27282 ruby: Arbitrary memory address read vulnerability with Regex search

Bug 2276810 (CVE-2024-27282) - CVE-2024-27282 ruby: Arbitrary memory address read vulnerability with Regex search

Summary: CVE-2024-27282 ruby: Arbitrary memory address read vulnerability with Regex s...

Keywords:
Status:	NEW
Alias:	CVE-2024-27282
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2276812 2276811 2276813 2276814
Blocks:	2276815
TreeView+	depends on / blocked

Reported:	2024-04-24 05:08 UTC by Avinash Hanwate
Modified:	2024-05-23 07:49 UTC (History)
CC List:	1 user (show)
Fixed In Version:	ruby 3.3.1, ruby 3.0.7, ruby 3.1.5, ruby 3.2.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Ruby. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-04-24 05:08:00 UTC

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/

Comment 1 Avinash Hanwate 2024-04-24 05:11:30 UTC

Created ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2276811]
Affects: fedora-39 [bug 2276813]
Affects: fedora-40 [bug 2276814]


Created ruby:3.1/ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2276812]

Note You need to log in before you can comment on or make changes to this bug.