ruby:3.3 security, bug fix, and enhancement update
エラータID: AXSA:2024-8491:01
Release date:
Friday, June 28, 2024 - 19:32
Subject:
ruby:3.3 security, bug fix, and enhancement update
Affected Channels:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (3.3).
Security Fix(es):
* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)
* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)
* ruby: Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Modularity name: "ruby"
Stream name: "3.3"
Solution:
Update packages.
CVEs:
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Additional Info:
N/A
Download:
SRPMS
- module-build-macros-0.1-1.module+el9+1042+7e060dc8.src.rpm
MD5: 86a737da8bf4860fd0c9cd48964e061c
SHA-256: cb22ee814795ef8da6e98d5f47115878e03ceaa8dda6e2f7eee8030c1442c6a5
Size: 7.29 kB - rpm-local-generator-support-1-1.module+el9+1042+7e060dc8.src.rpm
MD5: 63432f4d1b273ce2cc183e0e675f50af
SHA-256: 04123f10413585be7d81b76ef07ef9016984877d78b32ac42931ca0af5c58f53
Size: 7.31 kB - rubygem-mysql2-0.5.5-1.module+el9+1042+7e060dc8.src.rpm
MD5: c400265becb9ee2ebf5ddd16bab043e8
SHA-256: c7b42b46a042d14203a3c0236aeed56de5061e2a9226c854668a3f758bab4f26
Size: 121.83 kB - rubygem-pg-1.5.4-1.module+el9+1042+7e060dc8.src.rpm
MD5: 4be494afb7b23edb650927e9a82301a6
SHA-256: 24cf261ed67973521cb47d969aa6d5fd06078424dc5632366ea3676d76376897
Size: 305.82 kB - ruby-3.3.1-2.module+el9+1042+7e060dc8.src.rpm
MD5: f75fac36af2a7fc3a7a421d7604b2ce9
SHA-256: d07530cb315b07c5f1320f3a8b6a5097dfe34c42410c9617ae9d28e4ba60f956
Size: 15.66 MB
Asianux Server 9 for x86_64
- ruby-3.3.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 173177cd48d9eae112966204e3d6d10e
SHA-256: 4f253b1fbd4a94d0a183321074e3bca7ba66d6a9ee04cb90054ca5133dca1353
Size: 37.04 kB - ruby-3.3.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 0b398457d2b4b9ac88d2a1e8c0e09789
SHA-256: d726e608c521e0ed4e32130f1f05c2993d42ad5a60a15940a131a1d3938a7037
Size: 36.93 kB - ruby-bundled-gems-3.3.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 455e5b14ed1e2626c3b2e67e6b95d873
SHA-256: 07aeeb6530e2561cb62f61269c77cc2d9f4c9edb61d91b81d4b91fef8432ada9
Size: 253.76 kB - ruby-bundled-gems-3.3.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 0719dd9d2f7c660c90256c3bb4beb222
SHA-256: 77a3cab58fe0ed25fa740e618fc39cbb7ecb34377ec48114e64731a22412c16f
Size: 253.57 kB - ruby-debugsource-3.3.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: c99cff728efbd53980b2abb01dee3a1c
SHA-256: 735b288a5bc1e9ab634776514c552f44ddfcf98a49ddc2800861445341e85de4
Size: 3.77 MB - ruby-debugsource-3.3.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: d4ec438db8540532e0971293d3638d8e
SHA-256: e154ee42552724dd71994707008b220aa6ed53cb4432dae517aec0ee63b69616
Size: 3.99 MB - ruby-default-gems-3.3.1-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: d8bee30048925add4fb0e1005671d52e
SHA-256: 9a725eb7b1e884bf82b1278642a40f9cdb221aeab5271c20b326849916bd86e4
Size: 33.10 kB - ruby-devel-3.3.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: e808298efb4e8972a4dc35266eddf8fe
SHA-256: 32b10b0185b478c1045d1c263dd693c1442fce39c7f870e319185b0b0ab2225e
Size: 286.88 kB - ruby-devel-3.3.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 6262feda8f601e51ad93b20c7638de77
SHA-256: 404a4589428b0a96954036089a81923880e7cf69156fccf84ded13120b8460b5
Size: 287.12 kB - ruby-doc-3.3.1-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: e5f835243b99f26140fc822bf3e902b0
SHA-256: 5ca15338f08d318eb79070e0212ebedd72134849d3620bc86b71292215be3f80
Size: 4.44 MB - rubygem-bigdecimal-3.1.5-2.module+el9+1042+7e060dc8.i686.rpm
MD5: ce428a82f47266888b65bdb0c684fa92
SHA-256: 63dc47d03af7c5aad25381ab477b31b5c7af4896db50440cadc38225f00b1177
Size: 69.41 kB - rubygem-bigdecimal-3.1.5-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 7ac5d62b115d867752fa780ad66e9e27
SHA-256: 46ad8c3424d2571c45816a0c77f936dfc3a42d2cc11f55b60580ef80442bdbac
Size: 64.26 kB - rubygem-bundler-2.5.9-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 7415a3e0bc935eb71daa49d660d6c966
SHA-256: 7def4330ee827b37a6140e5758b3b93f2b928ec9df88f8cf0cea069e220c341d
Size: 387.02 kB - rubygem-io-console-0.7.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 814d0eebe3efac961914053325f643c1
SHA-256: 603d00f2bbecb7176a2fb982182c33a7bb3cfd956a6ba0dadd8f140a7d986b3f
Size: 23.41 kB - rubygem-io-console-0.7.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: a0fb7df421c7f96271539858edcd44d7
SHA-256: 9fef3e55e95b681685b86002dfd1fad63ebafa6413588da1b9b3b7c86aee93a2
Size: 21.65 kB - rubygem-irb-1.11.0-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: f7782e5d611dc8aff3abddbe06eefbbd
SHA-256: 4f9a6d7a7f870b968502f132c17fac3b98e680528ac028dd311c634b157b8630
Size: 81.33 kB - rubygem-json-2.7.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 162e14de19405c55dbe5a1d5d8c497f3
SHA-256: 5161eb5694898951b9dfca1a4576285586505f52a8a0000cf5c20259761df152
Size: 53.02 kB - rubygem-json-2.7.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: d45d26871fe26ae60e6d1ff411f7fa85
SHA-256: c51f4377e03d1144d4870918a6f330831875d0c8284dcdf075061a8be93d1eae
Size: 51.01 kB - rubygem-minitest-5.20.0-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 39189920d6abca6561f712342c11373e
SHA-256: 5c8e3a553569d3091d89e8fd5701426c6bc2a2699ebbbf04af30528ce32b7940
Size: 86.59 kB - rubygem-mysql2-0.5.5-1.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 038476e8ceb3eac7f3354df6b54db09f
SHA-256: 5dc21ab2ad564b3a51aad0ce7675e34ec147d9fb3643cc4ae47dbc68e0c9fe4f
Size: 45.65 kB - rubygem-mysql2-debugsource-0.5.5-1.module+el9+1042+7e060dc8.x86_64.rpm
MD5: eadd74c271beb28aa15419a1afe9fbdf
SHA-256: d044585b5d880f2bdd4abd0af2f2262e9aa1ebb00bd472870becc79049128e04
Size: 35.57 kB - rubygem-mysql2-doc-0.5.5-1.module+el9+1042+7e060dc8.noarch.rpm
MD5: bc8b1d86181f4e32f98b74da114cd003
SHA-256: 4f998cd579bb8d8177f4d716dd0d80a11f22b009a0ea41db9a441fcd02ada590
Size: 312.45 kB - rubygem-pg-1.5.4-1.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 2a3b7990584d83e025ab5e93e1b0a86e
SHA-256: fffd284fb13b03a894bf5e4309160f52d1e23a3fa0bf7e3ef0d9830fa6faf0a9
Size: 117.01 kB - rubygem-pg-debugsource-1.5.4-1.module+el9+1042+7e060dc8.x86_64.rpm
MD5: b146a4bef0291f730a4ff8d33300f8cd
SHA-256: e7e8abd8567dc29766272924d8131157de62c7324df1eb6d30f35462b3372ad5
Size: 94.65 kB - rubygem-pg-doc-1.5.4-1.module+el9+1042+7e060dc8.noarch.rpm
MD5: 839b91e2ba2c04ccafa8837b4106cbed
SHA-256: dd8fea010be54d958901e0150ce738728a075c1a3811c7a6570091ffced959f3
Size: 601.78 kB - rubygem-power_assert-2.0.3-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 18157df65d4c837f7263f308819f8ffb
SHA-256: dfab22d0b5e3a49ac9837bc7d799d0e5471b5e33708b066ad044033207bdf2c4
Size: 19.84 kB - rubygem-psych-5.1.2-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 4ddbf6ef8e3689f80a8ebdd7f6cefae3
SHA-256: 7285bd39f771d72af604c277f489b34f8659436954e88cf475e4d03f68a890f5
Size: 49.18 kB - rubygem-psych-5.1.2-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 6262c67b53e6221c8e5b151e4421aeaa
SHA-256: 05ac5da5589293f6f10cd2f4c8a998e01fef80d60fe42665fdbf56599fc2f190
Size: 48.00 kB - rubygem-racc-1.7.3-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 1661b639e4389174bb41ea4ddfd93822
SHA-256: cf0eb8a656dc3fedd41fb5014e2d66849a0ce13c8d848959d0109b3a8712bc9d
Size: 71.04 kB - rubygem-racc-1.7.3-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 24319a74c28f3ee5c3f98561f2b9d647
SHA-256: 59ddbd9c7f8697015db74c3d25537d00c9a90f4f300520bc973f392e0f1d8e05
Size: 70.50 kB - rubygem-rake-13.1.0-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: efe4605d652681922bc48332a9fd679b
SHA-256: 34d1d4f89dcd17c0af6c4a5670fe4f85ab9f1e6e0652f7563652da14c23497ea
Size: 85.21 kB - rubygem-rbs-3.4.0-2.module+el9+1042+7e060dc8.i686.rpm
MD5: 81c95dd0ef3e97bef5e7de1d47587b33
SHA-256: 9e74cef1d9ebee6125abdce9059ffd720f277d061635b63278bace2d6a9b6dae
Size: 903.80 kB - rubygem-rbs-3.4.0-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: a70d22f97fc9958e66ef01f49750ad00
SHA-256: 12915abfb353ed779f02422a76cb0da204c602dc6af6fd4f6acc5a69d0725f34
Size: 898.97 kB - rubygem-rdoc-6.6.3.1-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: db851fd7147ee4144b3b6eaf730078b8
SHA-256: 1cf858ff0320ad175c5c6e9c58853954e883da19417585314099ab80dc0e3a26
Size: 461.46 kB - rubygem-rexml-3.2.6-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 9c707aacf1e2682270779bf38164d415
SHA-256: 32b31d28d9cf0a7ec3c0c6d0e326212b500df6e101af09a252be15b81a9268d9
Size: 99.38 kB - rubygem-rss-0.3.0-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 8564edf693d221d8603e831e11023782
SHA-256: 69fa06cfbf60b0fd21095f61f320f832805d36a48c095d878e445fa3d203e760
Size: 55.50 kB - rubygems-3.5.9-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: d70dc9f087823c36f4439407d7175232
SHA-256: fab95c8eb5dc79df3c61e340bf8b7a0f08a076c0cd2d0bb6428c06d92e7e893c
Size: 349.03 kB - rubygems-devel-3.5.9-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 96730ff47b4736573752593461102e15
SHA-256: 5b940c1787afe046abb10310070712b369bac5009f43caf8f1f94799697970cb
Size: 11.73 kB - rubygem-test-unit-3.6.1-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: 033912ad9b8778648362f35aae3961a8
SHA-256: a685be5e8d8f8e490931e058bf3568b570b03b01b810ba03dc796a985a884776
Size: 93.67 kB - rubygem-typeprof-0.21.9-2.module+el9+1042+7e060dc8.noarch.rpm
MD5: e9490c21d2704f7c46914866e9038d8b
SHA-256: ec08591d7476bdc313b3f26bf22bf0f322054fd8d7282217c79119bfb9b365e7
Size: 70.66 kB - ruby-libs-3.3.1-2.module+el9+1042+7e060dc8.i686.rpm
MD5: dcdf98dc6531495fca60559da99b074d
SHA-256: 6f3ef732d38d365f4bea195d6f5b2c941a94644f144bfe8c8d6a99a18d13490c
Size: 3.62 MB - ruby-libs-3.3.1-2.module+el9+1042+7e060dc8.x86_64.rpm
MD5: 45111838371b9e7dff06344960fa9a1d
SHA-256: ebd10a37fe3320c88974dd34c3fc41edd74fc26f7110cb6fb0b35ef72d1f0ae7
Size: 3.97 MB
日本語