ruby:3.1 security, bug fix, and enhancement update
エラータID: AXSA:2024-8490:01
Release date:
Friday, June 28, 2024 - 17:03
Subject:
ruby:3.1 security, bug fix, and enhancement update
Affected Channels:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (3.1). (RHEL-35449)
Security Fix(es):
* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)
* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)
* ruby: Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Modularity name: "ruby"
Stream name: "3.1"
Solution:
Update packages.
CVEs:
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Additional Info:
N/A
Download:
SRPMS
- rubygem-mysql2-0.5.4-1.module+el9+1041+77366097.ML.1.src.rpm
MD5: a8872f194b826ea5cffd53f5b011e04e
SHA-256: 5ac0cac09b9335db48315a6c8c564c7cb1405435e919b868fc8e6687c4975676
Size: 113.20 kB - rubygem-pg-1.3.5-1.module+el9+1041+77366097.src.rpm
MD5: e112a4ce09abd9ac62128f16c14b487d
SHA-256: 6bc4db86dcdbd2d24c3dab8d565d3ffe44012f0e6b55bde619ee61fd816fdaa5
Size: 263.16 kB - ruby-3.1.5-144.module+el9+1041+77366097.src.rpm
MD5: c2f838b36a4440bcebe3d54dd6900b57
SHA-256: 8249e339597edfe436493297c8a5d67b35e2752c634d78da43e5acbfac0655a2
Size: 14.67 MB
Asianux Server 9 for x86_64
- ruby-3.1.5-144.module+el9+1041+77366097.i686.rpm
MD5: 3b7f0aa5d04f921e891a698348998671
SHA-256: 36a6780df6e5c8db3631f7126a99571f233fc2ff33e10eb2a7f4e2cccede3384
Size: 38.45 kB - ruby-3.1.5-144.module+el9+1041+77366097.x86_64.rpm
MD5: f237723a439d8fc854fb8ed22923ac61
SHA-256: 6f086a56853aa9e625bcc7fa82f590ea8776381539597aed49a5a81ed2e7c434
Size: 38.29 kB - ruby-bundled-gems-3.1.5-144.module+el9+1041+77366097.i686.rpm
MD5: 8d4f44ee4bcf247760fca397abda1a43
SHA-256: 05112f42d4308d692100bf98c79e794f1114fffddca62b1cde47ac2d4588e984
Size: 163.23 kB - ruby-bundled-gems-3.1.5-144.module+el9+1041+77366097.x86_64.rpm
MD5: 8e1bb27aa44b1f3f89cf2d256290fd72
SHA-256: 7855e19a86857b705d54803ff1734e312c56a6ed179d5c0afc55013eaecaf792
Size: 162.98 kB - ruby-debugsource-3.1.5-144.module+el9+1041+77366097.i686.rpm
MD5: 24a9243d3f289e7561f74511fe34c685
SHA-256: ff92ba0cfe0ef2404dc6215166ac41afe769935f5fc7d34ff3ef75df552e5804
Size: 3.52 MB - ruby-debugsource-3.1.5-144.module+el9+1041+77366097.x86_64.rpm
MD5: 0ce2d3b6c77220112f2e2444c5d30409
SHA-256: 30e79d60d1cc81eb9b5240b313ed6ebe3f4cdcd2eccf457b038b2646a2e4f761
Size: 3.59 MB - ruby-default-gems-3.1.5-144.module+el9+1041+77366097.noarch.rpm
MD5: cdda52260db4637e9ce85d4ae41b4445
SHA-256: 1a94ba278e180fae0fe71dc68bd9287d39a2966ee3ad86815567189de68cb9ff
Size: 27.50 kB - ruby-devel-3.1.5-144.module+el9+1041+77366097.i686.rpm
MD5: 7e0e3a43ba5fd9376281c0d5685777d7
SHA-256: 84b54d5741f77928a1f4fee08224033b9e4801107df8bd3a1594d953c99757e3
Size: 414.38 kB - ruby-devel-3.1.5-144.module+el9+1041+77366097.x86_64.rpm
MD5: 5dc02bd7b9cc0688f4b7328654ffa55f
SHA-256: ad11e69d84071459964f38b5c6552a4a322231c37111f5769e34e03c04d86ac8
Size: 414.66 kB - ruby-doc-3.1.5-144.module+el9+1041+77366097.noarch.rpm
MD5: 043561a6d316e20e20b8cc98b6282317
SHA-256: 12bef09c6a5765559082871c309df48766d160bf868af96dde7e3bc3875f7ab8
Size: 4.96 MB - rubygem-bigdecimal-3.1.1-144.module+el9+1041+77366097.i686.rpm
MD5: 05be8d4ae61771ba2e758a24b190eab3
SHA-256: 582412b9f43222da62feeb3e587821bcd7fd3017fbfc7ec87262dc0a2de50b9c
Size: 70.41 kB - rubygem-bigdecimal-3.1.1-144.module+el9+1041+77366097.x86_64.rpm
MD5: 7129e2825244dd149729b6cb7269fe46
SHA-256: a0153405d51be272f40faa9233230372c0e6f131d436e868a340261289890c44
Size: 66.03 kB - rubygem-bundler-2.3.27-144.module+el9+1041+77366097.noarch.rpm
MD5: 54a3cf3bbe919ede3236eec41791bfae
SHA-256: 80c793a06f570d60c8cf990db7610d354511df88c1c96e62d5d465c3a103468e
Size: 377.11 kB - rubygem-io-console-0.5.11-144.module+el9+1041+77366097.i686.rpm
MD5: dd1a156e6f05387fb13ae026adc5285c
SHA-256: 80500a4e8af6dca65c5eca910dba9f58155eaa86765eaee42d371c829bc7b14b
Size: 23.93 kB - rubygem-io-console-0.5.11-144.module+el9+1041+77366097.x86_64.rpm
MD5: e463df04dda4e7515073ced00395cbf2
SHA-256: 3fb0f44b0a3473c69b03003853a3f9decacd0bc6746857fb96f797061ba5842e
Size: 22.08 kB - rubygem-irb-1.4.1-144.module+el9+1041+77366097.noarch.rpm
MD5: fc601384e1a1abd5786f086447fa5a0b
SHA-256: 350b1a18a16e78843e676a4070c31e55ac67b65ee561436b47b8fef33a840879
Size: 66.61 kB - rubygem-json-2.6.1-144.module+el9+1041+77366097.i686.rpm
MD5: 5251ffe77be2c5205b71a8d7809cad4f
SHA-256: fbab9b2b0654df42d430f75ac989b54c066a7b49cdb26fb972bd93bca4c7477f
Size: 52.46 kB - rubygem-json-2.6.1-144.module+el9+1041+77366097.x86_64.rpm
MD5: 5c3dab00eab9dc972f4fb75bd909cb15
SHA-256: 99b3672587f93429579fab197c5d10fb3a9d1aa3c6819706dd7940045069c696
Size: 50.67 kB - rubygem-minitest-5.15.0-144.module+el9+1041+77366097.noarch.rpm
MD5: cd98bfd7c3bc66b4f193b8fb71692f9b
SHA-256: 83ee4b47f0715670de73235c7245b883a06e84126f87042130cdf04284cebc02
Size: 79.33 kB - rubygem-mysql2-0.5.4-1.module+el9+1041+77366097.ML.1.x86_64.rpm
MD5: f33255434903bb4a2028e202a09d74c8
SHA-256: d2e061f61b8c8405a06435ae805edc413985cf210ed6166656e305e7f1b5f78e
Size: 47.34 kB - rubygem-mysql2-debugsource-0.5.4-1.module+el9+1041+77366097.ML.1.x86_64.rpm
MD5: 7d7a9553fc5a0b73c06dfa122d93f269
SHA-256: 18ffc94bd19a4057eab0c5104bc37a55ac1ca49d24fe34c777e3da2c77fbbb92
Size: 34.90 kB - rubygem-mysql2-doc-0.5.4-1.module+el9+1041+77366097.ML.1.noarch.rpm
MD5: ca10ac79fd20cf54292cc301066e94fb
SHA-256: 34f3228c867b4f8f35d9e37fdc88921167da1966362bf4393fa67a1b22957020
Size: 311.98 kB - rubygem-pg-1.3.5-1.module+el9+1041+77366097.x86_64.rpm
MD5: 9f7c9bce4c0b0f7d5d2e1278b4d2daeb
SHA-256: 615f07323349bdd69aae89d7ae8a893c04f20a7f6eb65d0058a46b8e9ded7813
Size: 110.72 kB - rubygem-pg-debugsource-1.3.5-1.module+el9+1041+77366097.x86_64.rpm
MD5: 38bfde5cab3ad178e49d3dd65d89980f
SHA-256: 8d8b843a8b29a6ec250028540ad3a43a4c7cf79eb2e46276be6d35b9e24d9c8e
Size: 90.87 kB - rubygem-pg-doc-1.3.5-1.module+el9+1041+77366097.noarch.rpm
MD5: bfaf5cf49e5e6e380d0fd37df5e3bf56
SHA-256: c9519371c3ae5aa040fbce153af025906d2a5db1359c0fa5de519239e033e9c6
Size: 557.14 kB - rubygem-power_assert-2.0.1-144.module+el9+1041+77366097.noarch.rpm
MD5: e63adb5bca9bbe938efd751b41b9567c
SHA-256: a24f5df4bfef6baec98fdc2941245374485c7da20f02a3b65b044af637ef20d1
Size: 19.83 kB - rubygem-psych-4.0.4-144.module+el9+1041+77366097.i686.rpm
MD5: b8271e688cd515568d4866592474fc58
SHA-256: 9fb6872396980eb1131b2556843bebc42ba421abc06c4294d8b1a43acfbce842
Size: 49.29 kB - rubygem-psych-4.0.4-144.module+el9+1041+77366097.x86_64.rpm
MD5: 2c6b6271316b5f330880ca2a781cf0be
SHA-256: 84c26846b8d3171fa02a8aa33e76664a046e535b02ce54b550c1511c50a4f4d1
Size: 48.20 kB - rubygem-rake-13.0.6-144.module+el9+1041+77366097.noarch.rpm
MD5: 7b230ed43730b50d0f065abf301f7930
SHA-256: c254ece484f7be079f8bfffd62a2aef6a327b6fa59c96c8ff5fd8ee625430a0a
Size: 85.23 kB - rubygem-rbs-2.7.0-144.module+el9+1041+77366097.i686.rpm
MD5: ba719f4ca688b971a875384147fad718
SHA-256: 03a377218c9b0cc032191494fa72915007b6bcae85bb83b8464e9fa9b8d72525
Size: 775.83 kB - rubygem-rbs-2.7.0-144.module+el9+1041+77366097.x86_64.rpm
MD5: 822ed6dbabca42b9c8397e13cedd869e
SHA-256: 1e7db3c25e25a96f414922a0ca519d651690c279347373ef1f958cbe5f588c4c
Size: 771.63 kB - rubygem-rdoc-6.4.1.1-144.module+el9+1041+77366097.noarch.rpm
MD5: d807b526abf25786c08f0716f845fc9e
SHA-256: 8141b5473e0f815ead18c70febedf43f8a0308aa82d7bd80e7e8b368719dd892
Size: 458.40 kB - rubygem-rexml-3.2.5-144.module+el9+1041+77366097.noarch.rpm
MD5: 5a0cc4c25012c2df35d2a3e8dc70a670
SHA-256: e961941f481566909a3c0850d71d8378c2297a5ec4e6a9a9cda4fdfb314aba17
Size: 91.85 kB - rubygem-rss-0.2.9-144.module+el9+1041+77366097.noarch.rpm
MD5: a7a16bcf6c1f6ae78105ed918edb8153
SHA-256: 631e5ba96904b73ece226742aba52e57480a483d4dcd427dd94ede676642a85d
Size: 99.59 kB - rubygems-3.3.27-144.module+el9+1041+77366097.noarch.rpm
MD5: 6d0f4aeeb316fb1a9b65ebf7a0b0ab11
SHA-256: cf023aa5ded6b7c0143e1999e45c5c68a66614f8fa758d780738bd6dbb943519
Size: 249.48 kB - rubygems-devel-3.3.27-144.module+el9+1041+77366097.noarch.rpm
MD5: 78c16f0b5654524a7a61235cc6fd8acc
SHA-256: 394ab604a284abd1fe812d80fa659659f5a2bd0c218fcdc9a13617f955db3fb7
Size: 11.66 kB - rubygem-test-unit-3.5.3-144.module+el9+1041+77366097.noarch.rpm
MD5: 9d0f212197d7d6f58f2e3c13d85aacde
SHA-256: 2a387a6e59eac993218b545da5c5c4d3c4f1a1c8466bd5215f08a4ac3137b204
Size: 91.55 kB - rubygem-typeprof-0.21.3-144.module+el9+1041+77366097.noarch.rpm
MD5: 7817b1a45b7926db78cb9962e3c96ac7
SHA-256: c78eee9c4baa7298bb24e4fbc053aaeb6cc12009f51cfbfbaa2a1baa223813fc
Size: 69.94 kB - ruby-libs-3.1.5-144.module+el9+1041+77366097.i686.rpm
MD5: 600679b378569959b0f0e15d4ddc51de
SHA-256: f37ae07d51d040512efe043160f56ffcb9d2eebd607ca98bd10a77cce12f3892
Size: 3.27 MB - ruby-libs-3.1.5-144.module+el9+1041+77366097.x86_64.rpm
MD5: 07316954402f8e7d5f882ab597033f2d
SHA-256: 4d0696107846aa3b0f4198025c7f87c41277d7b0f4c7f6111335f690cad26ef6
Size: 3.23 MB
日本語