ruby:3.3 security, bug fix, and enhancement update

エラータID: AXSA:2024-8494:01

Release date: 
Monday, July 1, 2024 - 21:26
Subject: 
ruby:3.3 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: ruby (3.3). (RHEL-37446)

Security Fix(es):

* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)
* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)
* ruby: Arbitrary memory address read vulnerability with Regex search

(CVE-2024-27282)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.

Modularity name: "ruby"
Stream name: "3.3"

Solution: 

Update packages.

CVEs: 
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Additional Info: 

N/A

Download: 

SRPMS
  1. rpm-local-generator-support-1-1.module+el8+1778+8ab526a2.src.rpm
    MD5: 9dce43453d3af5855c166b47b14b33a4
    SHA-256: b1bbd64e490929c239ec6df109c452ad3964eb56a07dbe3412c80111e71e6d6a
    Size: 7.12 kB
  2. rubygem-abrt-0.4.0-1.module+el8+1778+8ab526a2.src.rpm
    MD5: dcb0596b1c62e937fa951a80f459ba45
    SHA-256: 0dc03bf26f9f0ae5c5e5406e4882ac3df6ccdb0aa9c3e6f1f0c3e3a9f0346693
    Size: 16.60 kB
  3. rubygem-mysql2-0.5.5-1.module+el8+1778+8ab526a2.src.rpm
    MD5: 335c85cdd961844db0b24d3343a441ef
    SHA-256: 0f5977c450b31e9d1d545710f3c116b92fdabdae57517879dfb2751f49bdc4d5
    Size: 124.06 kB
  4. rubygem-pg-1.5.4-1.module+el8+1778+8ab526a2.src.rpm
    MD5: 9a5e1011ff8ee2751a25a5373c41fb68
    SHA-256: 3aef12b388eb26d9b4c406cb7b601f38df346348cb81da1cbfed3add39430782
    Size: 309.80 kB
  5. ruby-3.3.1-2.module+el8+1778+4ae7630a.src.rpm
    MD5: b9d9494c8c663d0c485ef15369882113
    SHA-256: a6c02c1dc1aae7080c5a5cdc6d94e23c64a0c95bed23e50857e08e8e93c0aab4
    Size: 15.71 MB

Asianux Server 8 for x86_64
  1. ruby-3.3.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: 85eacd2e8a0657a375c6c4db76018a9b
    SHA-256: 2ef8665d9a1eca9a93878a2054a9c7e14bd9ea80a19c1dc495de0fb7f26c429e
    Size: 87.60 kB
  2. ruby-3.3.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: b3b84218ff9abbe95dce779c3e963174
    SHA-256: a03461b1a4f2ffdf794d5a140a2a30d6476bd2d834704c4fa31ad0c7a25d1410
    Size: 87.54 kB
  3. ruby-bundled-gems-3.3.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: 060aa42b0c2517128ef8c4506251a55a
    SHA-256: eb60e48f9b7399390a89ce177bcb79eb3e3d5d403e8468d5ca46fba2befd2343
    Size: 321.16 kB
  4. ruby-bundled-gems-3.3.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 33ded5750509b56e2f2658d92a76e83d
    SHA-256: c4c7d096e8232f54f1b7ffbbba1c483ab3f7bfde80250ec5425f7dc510780731
    Size: 320.85 kB
  5. ruby-debugsource-3.3.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: 72328bc8acff349f30330773309d0c9f
    SHA-256: a53262f0fe4cd5426cf006c31fee9a73a3ad982952e6ef72c5924df5eeda20ff
    Size: 4.43 MB
  6. ruby-debugsource-3.3.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 29fdfae7fe433cd2b5073e4069452b42
    SHA-256: 188df6c56d9faac9ba70ae4d04ceeb7829ae966ca014415c7cd59201d971fee0
    Size: 4.68 MB
  7. ruby-default-gems-3.3.1-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 3d31c3750fb9384790aca19afd10c9c8
    SHA-256: 0b865c8dadb0ac253ad3b0c69a96ade036c0d4d7ca19bf8e1f9d50fef6199765
    Size: 83.87 kB
  8. ruby-devel-3.3.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: e82e9e7170e64aaa39503ac260ec667b
    SHA-256: 421541b8630c7eb50ee66118bfdee8aecbb56e88902aa1e13b41f8321599ba96
    Size: 364.73 kB
  9. ruby-devel-3.3.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 78caed9c771668fca8c1a16d86116b36
    SHA-256: 8d6d788c5bfb38b5de544e4fb585c4230be697de14960a7abeaf663c0a3bd62b
    Size: 364.72 kB
  10. ruby-doc-3.3.1-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 3b5688d90ec9edbe4e421f92b0a283ba
    SHA-256: dc545d58acc6bd64bc3371c4fedb27a60ae31e471488d0c549c83149586e95cf
    Size: 4.79 MB
  11. rubygem-abrt-0.4.0-1.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 0a8ed6fa3d9c6261d02a9f89370472f3
    SHA-256: caf889b24c8a95f3808edbbb98a97702868a22af4cc9fa7ef3c135bb507741ea
    Size: 12.51 kB
  12. rubygem-abrt-doc-0.4.0-1.module+el8+1778+8ab526a2.noarch.rpm
    MD5: b8b8a77cf9fb78774b9681238c2853c9
    SHA-256: f8c58e21075d788ad73db6799f54f0c2728603aa150093974ae5b7bc22b44ea9
    Size: 256.72 kB
  13. rubygem-bigdecimal-3.1.5-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: a6d4dc0244f56c55cfc85ca334d10d3c
    SHA-256: 14d817121adab3fea8e27e6b49d81d7a7fb3fee72aa5db9d5b3f78acc01f7575
    Size: 117.47 kB
  14. rubygem-bigdecimal-3.1.5-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 9814a7bc86fe51369081e603fafd1efb
    SHA-256: 8ccdb5ac27c0a3fc73b4932893cc7a4821aaa4eba18116e9e760e7fbf35e778a
    Size: 113.66 kB
  15. rubygem-bundler-2.5.9-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: d0cd96e4dcebb2adbd8ffc49941f3c6d
    SHA-256: 5c3a958c9e7519a66067c6d34ce83888f4535806370e78ecb51179330662a0b9
    Size: 469.32 kB
  16. rubygem-io-console-0.7.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: 268b1808173863ec62882de299d75b6a
    SHA-256: bd3a2fcf6d8b423ebe2d10ccdd7d933afb09ac3018681aabdfa327dec53a3633
    Size: 73.45 kB
  17. rubygem-io-console-0.7.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 15736bbcd0e0de3239c754ee24fc6e87
    SHA-256: f12e5eeabb291295d383ab7da7e5e407da2df632af57350b1917faa39d2b10d4
    Size: 71.83 kB
  18. rubygem-irb-1.11.0-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 3c8333716ef3581589e2f39ba5b32182
    SHA-256: 48164876936e4866290d66dbb299fea44c1aace0a944eb229757cd0fe1cc70bb
    Size: 144.48 kB
  19. rubygem-json-2.7.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: a3b8db54c0aa11bd1a38f0f41cfe85c3
    SHA-256: b85fac12189a9a255a03a4f69d677a72b743a5c7977444b145d8e87a69dc5fea
    Size: 101.55 kB
  20. rubygem-json-2.7.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 2b28d7c9eac41a74f98e172f035c67ba
    SHA-256: 6f50d4c611ac43c150478266cbda08f123b33694584936d330df0a57bfb7844c
    Size: 100.09 kB
  21. rubygem-minitest-5.20.0-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 411f29e588e8a8a57467ef8be12e5189
    SHA-256: 35f4ab3dd0f0860aab1fc8ca3f9756ccea33c8cb1175093621bc588859d453c3
    Size: 141.67 kB
  22. rubygem-mysql2-0.5.5-1.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 5ac6235483eaf4f5597c33315e391d36
    SHA-256: 288a1c8e1c4e68286acc0fd68ac76b63fd2d96a0dd9911658788b925dc2ed164
    Size: 46.54 kB
  23. rubygem-mysql2-debugsource-0.5.5-1.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 8f9ab9efecbdf858dde70b7ede5f6690
    SHA-256: 68f6114c95aa72f06ae63668230d7e8575d8faa9ecb69a06e39935febccba8b9
    Size: 39.60 kB
  24. rubygem-mysql2-doc-0.5.5-1.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 7b9def8dde5e225588823b77b29140ef
    SHA-256: eb67ce521868955f47d6100189eee68bcc8ed30adeaa7af44778fc0c28c7ac09
    Size: 309.10 kB
  25. rubygem-pg-1.5.4-1.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 053ef1c4ffa1e643b8d25f7452033e8a
    SHA-256: a58aac1ad97a2b1aaa269d3ac0e1c697d68e9a5b90680a981f145bf793718a87
    Size: 116.05 kB
  26. rubygem-pg-debugsource-1.5.4-1.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 61371d94bef7b15c5ddde1b491857cc8
    SHA-256: 22762ca17913707edbf0d6a1c129be10952cf52f06307587a24da084f74f5300
    Size: 104.80 kB
  27. rubygem-pg-doc-1.5.4-1.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 45e3dc798bafd9416fca33bca1953847
    SHA-256: 4ad98c1c02980183fc949f2d78c588503274ffe5dce537fb048174cd665d6456
    Size: 630.11 kB
  28. rubygem-power_assert-2.0.3-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: c29214d674b0a705bc060afde6447e77
    SHA-256: 41fe3f6be1c18b73c17aeb81b7953482e6e35a3d517958dd5ccfa0b09fb0d87a
    Size: 70.55 kB
  29. rubygem-psych-5.1.2-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: 0260373f04b8af75961233c50536765f
    SHA-256: ce03469818399dafbd3120d1efae8152b16a8477b97edc6d7b04e4204f80c132
    Size: 100.08 kB
  30. rubygem-psych-5.1.2-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 76394474bd59116a40869ae821148469
    SHA-256: 63dd7f4170a96cf4f1793dff3f61141213e4672909e5659433de494a4ab9beb7
    Size: 98.87 kB
  31. rubygem-racc-1.7.3-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: 5773c4886ef3b709c1792d3bcb9e6494
    SHA-256: fc04829a62685241c4cf1a296a2aca24f1cf7a48ff40e090f69dac5cfeaeef48
    Size: 123.21 kB
  32. rubygem-racc-1.7.3-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: a6e3de89341558aa580acec2e30bf60e
    SHA-256: a07c0ce6db40c0a2138d11fa818a7de11f7b4fab51bd362bb1ca690b2e72fbeb
    Size: 122.76 kB
  33. rubygem-rake-13.1.0-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 36d8c1128195222c80cd4378a79fc836
    SHA-256: 1ed65ac1eece2392bd99e4ceaa113f1295cac4ed3ede7a4224efa7729191ab92
    Size: 139.67 kB
  34. rubygem-rbs-3.4.0-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: be4975b17a73619c95e64b253ac193c5
    SHA-256: 2e26a3788faf702d214f8abd85dc81923f5c5f8228379391e96e64a98def01ea
    Size: 1.03 MB
  35. rubygem-rbs-3.4.0-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 19a98fd0b4e7731c58c628925927dc51
    SHA-256: df8bf6d0ce94dc22b2f22fe1ba18172dc68105253af22f0ac7497433370eba6a
    Size: 1.02 MB
  36. rubygem-rdoc-6.6.3.1-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 1134c02fd59128bb1c3e7c45d2b06363
    SHA-256: f8ba9a6a59364991a5972cea19195ce925804ea8a0d1ecd061a4191116ea8619
    Size: 519.49 kB
  37. rubygem-rexml-3.2.6-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: a4d85450cc6be46f85432f291056ae54
    SHA-256: fa74d7fd8fa9dd19a2a92e6c5730b990b22d2d82aa1c3dedc21a3d692aa15d6c
    Size: 156.88 kB
  38. rubygem-rss-0.3.0-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 2e14753eb14e15013e15f57693e80bbb
    SHA-256: eb432fce0f0e06b7b7c8626ef0ea4ca3f19cdc510c2c6c71b2a359d4a633deee
    Size: 110.02 kB
  39. rubygems-3.5.9-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: d710d32cbe8e5bb268d05f98276124c4
    SHA-256: 9960486bfde63a2e5387e331e174a63985d9d3e4e9757740846a6b7d0ace484b
    Size: 432.51 kB
  40. rubygems-devel-3.5.9-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: 26b9f4af9b0b2e65ef9fbfd6d7a570d6
    SHA-256: 10a89f34257997c4f22b8d331f21c4890bc2c4d33f5f1d52d9c0b93eb852c992
    Size: 62.29 kB
  41. rubygem-test-unit-3.6.1-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: eecc4ce8bb6f56fb64ea83b17a7d19ae
    SHA-256: c2f5cd718822b5a0151fcafdf40c21226fd1c224e99428aaf3471ebc6238a37e
    Size: 149.17 kB
  42. rubygem-typeprof-0.21.9-2.module+el8+1778+8ab526a2.noarch.rpm
    MD5: b679df1afcdcb0fd860e49978acaf4db
    SHA-256: 63636f1ebf2726b6f0ac556c38bf72233a952af574b50cf0d5994b0332779b89
    Size: 126.89 kB
  43. ruby-libs-3.3.1-2.module+el8+1778+4ae7630a.i686.rpm
    MD5: f75e9c506cd2e13d272d6fb43dc2c9fe
    SHA-256: 1f960cfc9dca838248e21ae670bdf2335ba0b22ceaad7391098eacdf9e0d7a82
    Size: 3.71 MB
  44. ruby-libs-3.3.1-2.module+el8+1778+8ab526a2.x86_64.rpm
    MD5: 76675325c2c7994003044fb825393ef2
    SHA-256: 68af11479f7b02cf2b2671b786060bee2a90e90fcfdfca359856ae40710c8315
    Size: 4.01 MB