Bug 2270750 (CVE-2024-27280) - CVE-2024-27280 ruby: Buffer overread vulnerability in StringIO [NEEDINFO]
Summary: CVE-2024-27280 ruby: Buffer overread vulnerability in StringIO
Keywords:
Status: NEW
Alias: CVE-2024-27280
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2276876 2270753 2270754 2270755 2270756 2270757 2270759 2270760 2270761 2270762 2270763 2270764 2270765 2270766 2270767 2270768 2270769 2270770 2270771 2270773 2270774 2270775 2270776 2270777 2270778 2270779 2270780 2270781 2270782 2270783 2270784 2277056 2277058 2277059 2277060 2277061 2277062 2277063 2277064 2277065 2277066 2277067 2277068 2277069 2277070 2277071 2277072 2277073 2277074 2277075 2277076 2277077 2277078 2277079 2277080 2277081 2277082 2277083 2277084 2277085 2277086 2277087 2277088 2277089 2277090 2277091 2277092 2277093
Blocks: 2270748
TreeView+ depends on / blocked
 
Reported: 2024-03-21 17:49 UTC by Zack Miele
Modified: 2024-07-11 11:48 UTC (History)
23 users (show)

Fixed In Version: stringio 3.0.1.1, stringio 3.0.1.2
Doc Type: If docs needed, set a value
Doc Text:
A buffer overread flaw was found in rubygem StringIO. The ungetbyte and ungetc methods on a StringIO object can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.
Clone Of:
Environment:
Last Closed:
Embargoed:
saroy: needinfo? (zmiele)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:3540 0 None None None 2024-06-03 01:16:41 UTC
Red Hat Product Errata RHBA-2024:3577 0 None None None 2024-06-04 07:35:33 UTC
Red Hat Product Errata RHBA-2024:3863 0 None None None 2024-06-12 08:23:20 UTC
Red Hat Product Errata RHBA-2024:3987 0 None None None 2024-06-19 13:54:04 UTC
Red Hat Product Errata RHBA-2024:3996 0 None None None 2024-06-20 01:56:05 UTC
Red Hat Product Errata RHSA-2024:3500 0 None None None 2024-05-30 13:12:43 UTC
Red Hat Product Errata RHSA-2024:3546 0 None None None 2024-06-03 07:15:11 UTC
Red Hat Product Errata RHSA-2024:3668 0 None None None 2024-06-06 08:57:19 UTC
Red Hat Product Errata RHSA-2024:3670 0 None None None 2024-06-06 09:23:26 UTC
Red Hat Product Errata RHSA-2024:3671 0 None None None 2024-06-06 09:48:16 UTC
Red Hat Product Errata RHSA-2024:3838 0 None None None 2024-06-11 19:42:29 UTC
Red Hat Product Errata RHSA-2024:4499 0 None None None 2024-07-11 11:48:03 UTC

Description Zack Miele 2024-03-21 17:49:28 UTC
An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.

The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

Comment 1 Zack Miele 2024-03-21 18:05:28 UTC
Created alexandria tracking bugs for this issue:

Affects: fedora-all [bug 2270762]


Created ruby:3.1/rubygem-pg tracking bugs for this issue:

Affects: fedora-38 [bug 2270757]


Created rubygem-ammeter tracking bugs for this issue:

Affects: fedora-all [bug 2270763]


Created rubygem-domain_name tracking bugs for this issue:

Affects: fedora-38 [bug 2270759]


Created rubygem-haml tracking bugs for this issue:

Affects: fedora-all [bug 2270764]


Created rubygem-highline tracking bugs for this issue:

Affects: epel-8 [bug 2270755]


Created rubygem-http-cookie tracking bugs for this issue:

Affects: fedora-all [bug 2270765]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-38 [bug 2270760]


Created rubygem-marc tracking bugs for this issue:

Affects: fedora-all [bug 2270766]


Created rubygem-mechanize tracking bugs for this issue:

Affects: fedora-38 [bug 2270761]


Created rubygem-minitest-around tracking bugs for this issue:

Affects: fedora-all [bug 2270767]


Created rubygem-net-http-persistent tracking bugs for this issue:

Affects: fedora-all [bug 2270768]


Created rubygem-pg tracking bugs for this issue:

Affects: fedora-all [bug 2270769]


Created rubygem-power_assert tracking bugs for this issue:

Affects: fedora-all [bug 2270770]


Created rubygem-rdoc tracking bugs for this issue:

Affects: fedora-all [bug 2270771]


Created rubygem-shindo tracking bugs for this issue:

Affects: fedora-all [bug 2270773]


Created rubygem-shoulda-context tracking bugs for this issue:

Affects: fedora-all [bug 2270774]


Created rubygem-sinatra tracking bugs for this issue:

Affects: epel-7 [bug 2270754]


Created rubygem-tins tracking bugs for this issue:

Affects: fedora-all [bug 2270775]


Created rubygem-webmock tracking bugs for this issue:

Affects: fedora-all [bug 2270776]


Created whatweb tracking bugs for this issue:

Affects: epel-8 [bug 2270756]
Affects: fedora-all [bug 2270753]

Comment 3 Mamoru TASAKA 2024-03-22 01:22:38 UTC
So would you please stop filing bugs of this kind without consideration?
I don't think we are expected to cope with these bugs even if "Disclaimer" is expressed.

Comment 6 Sandipan Roy 2024-04-25 05:07:18 UTC
Created alexandria tracking bugs for this issue:

Affects: fedora-38 [bug 2277062]
Affects: fedora-39 [bug 2277078]


Created ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2277058]
Affects: fedora-39 [bug 2277060]
Affects: fedora-40 [bug 2277061]


Created ruby:3.1/ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2277059]


Created rubygem-ammeter tracking bugs for this issue:

Affects: fedora-38 [bug 2277063]
Affects: fedora-39 [bug 2277079]


Created rubygem-haml tracking bugs for this issue:

Affects: fedora-38 [bug 2277064]
Affects: fedora-39 [bug 2277080]


Created rubygem-http-cookie tracking bugs for this issue:

Affects: fedora-38 [bug 2277065]
Affects: fedora-39 [bug 2277081]


Created rubygem-marc tracking bugs for this issue:

Affects: fedora-38 [bug 2277066]
Affects: fedora-39 [bug 2277082]


Created rubygem-minitest-around tracking bugs for this issue:

Affects: fedora-38 [bug 2277067]
Affects: fedora-39 [bug 2277083]


Created rubygem-net-http-persistent tracking bugs for this issue:

Affects: fedora-38 [bug 2277068]
Affects: fedora-39 [bug 2277084]


Created rubygem-pdfkit tracking bugs for this issue:

Affects: fedora-38 [bug 2277069]
Affects: fedora-39 [bug 2277085]
Affects: fedora-all [bug 2277056]


Created rubygem-pg tracking bugs for this issue:

Affects: fedora-38 [bug 2277070]
Affects: fedora-39 [bug 2277086]


Created rubygem-power_assert tracking bugs for this issue:

Affects: fedora-38 [bug 2277071]
Affects: fedora-39 [bug 2277087]


Created rubygem-rdoc tracking bugs for this issue:

Affects: fedora-38 [bug 2277072]
Affects: fedora-39 [bug 2277088]


Created rubygem-shindo tracking bugs for this issue:

Affects: fedora-38 [bug 2277073]
Affects: fedora-39 [bug 2277089]


Created rubygem-shoulda-context tracking bugs for this issue:

Affects: fedora-38 [bug 2277074]
Affects: fedora-39 [bug 2277090]


Created rubygem-tins tracking bugs for this issue:

Affects: fedora-38 [bug 2277075]
Affects: fedora-39 [bug 2277091]


Created rubygem-webmock tracking bugs for this issue:

Affects: fedora-38 [bug 2277076]
Affects: fedora-39 [bug 2277092]


Created whatweb tracking bugs for this issue:

Affects: fedora-38 [bug 2277077]
Affects: fedora-39 [bug 2277093]

Comment 7 Vít Ondruch 2024-04-25 07:14:51 UTC
@saroy there was risen concern with the Fedora trackers and you have just filled more. What is the point of the trackers? That some project is using vulnerable StringIO?

Comment 12 Vít Ondruch 2024-04-26 09:06:40 UTC
(In reply to Vít Ondruch from comment #7)
> @saroy there was risen concern with the Fedora trackers and you
> have just filled more. What is the point of the trackers? That some project
> is using vulnerable StringIO?

For others who might be watching this ticket, I cannot promise any fix, but at least my concern was heard. I was provided with some details of output of internal tooling and links to the source code.

Comment 13 errata-xmlrpc 2024-05-30 13:12:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3500 https://access.redhat.com/errata/RHSA-2024:3500

Comment 14 errata-xmlrpc 2024-06-03 07:15:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3546 https://access.redhat.com/errata/RHSA-2024:3546

Comment 15 errata-xmlrpc 2024-06-06 08:57:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3668 https://access.redhat.com/errata/RHSA-2024:3668

Comment 16 errata-xmlrpc 2024-06-06 09:23:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3670 https://access.redhat.com/errata/RHSA-2024:3670

Comment 17 errata-xmlrpc 2024-06-06 09:48:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3671 https://access.redhat.com/errata/RHSA-2024:3671

Comment 18 errata-xmlrpc 2024-06-11 19:42:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3838 https://access.redhat.com/errata/RHSA-2024:3838

Comment 19 errata-xmlrpc 2024-07-11 11:48:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4499 https://access.redhat.com/errata/RHSA-2024:4499


Note You need to log in before you can comment on or make changes to this bug.