ruby:3.1 security, bug fix, and enhancement update
エラータID: AXSA:2024-8503:01
リリース日:
2024/07/03 Wednesday - 17:16
題名:
ruby:3.1 security, bug fix, and enhancement update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Ruby の StringIO の ungetbyte() メソッドおよび ungetc()
メソッドには、文字列バッファの範囲外読み取りの問題が
あるため、リモートの攻撃者により、情報の漏洩を可能と
する脆弱性が存在します。(CVE-2024-27280)
- RDoc には、.rdoc_options ファイルを YAML ファイル
として解析した際にリストアできるクラスの制限が欠落
しているため、ローカルの攻撃者により、不正な
オブジェクトの挿入、および任意のコードの実行を可能
とする脆弱性が存在します。(CVE-2024-27281)
- Ruby の正規表現の処理には、任意のヒープ領域のデータ
の不正や読み取りを許容してしまう問題があるため、
ローカルの攻撃者により、細工された正規表現の入力を
介して、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-27282)
Modularity name: ruby
Stream name: 3.1
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
追加情報:
N/A
ダウンロード:
SRPMS
- rubygem-abrt-0.4.0-1.module+el8+1783+07f2bf63.src.rpm
MD5: 292c9b4e48cbc87b13723a5c7e9a5f81
SHA-256: 7a7cbafe061b79d694764e4e432c20919c9d2bba5bb8a3a8c8e39c54a4672c31
Size: 16.60 kB - rubygem-mysql2-0.5.3-3.module+el8+1783+07f2bf63.src.rpm
MD5: 7fc2e3ecfd58f78255f98f02f1963beb
SHA-256: 2174e9828bf0a5301fdbe0ff989ee6848e51406a6eaf7edd49318ad34b815c73
Size: 112.27 kB - rubygem-pg-1.3.2-1.module+el8+1783+07f2bf63.src.rpm
MD5: 89dd82c2c84343b89790de3a386ad65f
SHA-256: 989c5ac2be420feb153e39c1e70b7b68294dd14c0bd44dc6d8ead4d789306d3a
Size: 263.15 kB - ruby-3.1.5-143.module+el8+1783+07f2bf63.src.rpm
MD5: 744fe763d1a04beb8b90b4f2b38bf17d
SHA-256: c31be9623f508ca0695b3954ce3d50448e53d5aaf216488486e5eac339651a8a
Size: 14.71 MB
Asianux Server 8 for x86_64
- ruby-3.1.5-143.module+el8+1783+07f2bf63.i686.rpm
MD5: 5dbb1164ef6c419609384ef0cfff0c1b
SHA-256: 1d0e9946fa0867c022b20df544e144ec56e25eb7e766b29c2984df8648fc314c
Size: 89.03 kB - ruby-3.1.5-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: f663878a06132cb9766ddb9b37957d90
SHA-256: ee1557196a0919eebb811b12f545069954ffdb39dfcde47abd5f67fa01603e8e
Size: 88.94 kB - ruby-bundled-gems-3.1.5-143.module+el8+1783+07f2bf63.i686.rpm
MD5: fd3b72275bd06d37ba22f241d715cc7b
SHA-256: ab87d8c46155cfac268a397cb5fa0e5417f8b6532538c2c1afa1a41a7d88b005
Size: 224.10 kB - ruby-bundled-gems-3.1.5-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: d56d6cce34aac507e0e8f5de71ab5f7a
SHA-256: 8160814885eca7ca4b2a650be931b53dac26aa5603b11ad34eec767b5a04656f
Size: 223.76 kB - ruby-debugsource-3.1.5-143.module+el8+1783+07f2bf63.i686.rpm
MD5: df72dac27a3fb646d75e795afb8eb539
SHA-256: cfd15142519501ccb9b86b782fd12ce1e5991387167f265dd2463483d8639fda
Size: 4.40 MB - ruby-debugsource-3.1.5-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: ebd86e9f79e31922ea887cefde768daa
SHA-256: 31858e85b7b612317308c015781b44ccbe7ca4e1c13a742b84a6715649a1b3c2
Size: 4.48 MB - ruby-default-gems-3.1.5-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: a6a640c597fede7093d544274374be07
SHA-256: d47b5d2b640af672f257762c2ec4e2a9416231fd7aa8a450bc12c002fbbce61a
Size: 78.43 kB - ruby-devel-3.1.5-143.module+el8+1783+07f2bf63.i686.rpm
MD5: aa8904cb5f8f9515a2a7ba9672ff4879
SHA-256: 8e06665669d504b7a54e366add1a7065d4896bc42be1664f5ff4f26bbc466a05
Size: 511.74 kB - ruby-devel-3.1.5-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: 8b119a93cd756f927a222733b98ad2b2
SHA-256: ea8f82bf8c905aa3627ffbe76573767b18fcde32a08e60b7a7379a242f68eeea
Size: 511.71 kB - ruby-doc-3.1.5-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 531d18fc1dc64588690752c591b5fc7d
SHA-256: f5900b66e36a4ae09821eb2de2d2bcbeca7e4f067d174c416ccc0786deda757f
Size: 5.54 MB - rubygem-abrt-0.4.0-1.module+el8+1783+07f2bf63.noarch.rpm
MD5: fceeb4f7c41bb8ff7b7d2d60b328374d
SHA-256: f85d7ae42560fe4dc864b6d950300983fd054732f5126b0f58677f4d16e45f80
Size: 12.54 kB - rubygem-abrt-doc-0.4.0-1.module+el8+1783+07f2bf63.noarch.rpm
MD5: b0b8aaaafd501d8d85a9f5f3707dafa0
SHA-256: 256b609e4b2774c7681614a36360440637f38d8501a7b45ac7b8bcd7ef52358b
Size: 256.32 kB - rubygem-bigdecimal-3.1.1-143.module+el8+1783+07f2bf63.i686.rpm
MD5: 63530516d26b98e225eee2d4ac774799
SHA-256: 22b4a376acd56c9daf32051fabc05cc086f73e25bb15dcb891431135f825598c
Size: 117.84 kB - rubygem-bigdecimal-3.1.1-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: b4f68b367f9fc5d62415dfa624e51022
SHA-256: 127b36e291f4000b7a5c4bb72766bf7a54d337c96624526f2d3c045eb2394c29
Size: 113.77 kB - rubygem-bundler-2.3.27-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 786a7b2d0d4b72a6757eddadef430478
SHA-256: ee20b44826ba8c67ba3d5ac511c7cfea6213ec73e964da4e640cc35e7c9c386f
Size: 457.83 kB - rubygem-io-console-0.5.11-143.module+el8+1783+07f2bf63.i686.rpm
MD5: d7ad0fc73515044a6f0ff55d018e0490
SHA-256: c0c9c05d362a78ae444a221820067ca279d87befb30bf68266ce83b4e21c8123
Size: 73.78 kB - rubygem-io-console-0.5.11-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: f76e1a114e51a23ac61be8fee4ae4e1b
SHA-256: 41b85c651b94d1cd5f9905de79b0f06d302aae8ded0d3fe6e5faf7536cc3cbda
Size: 72.17 kB - rubygem-irb-1.4.1-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 63a603b1adc6c3fdecb3b038ffcda80c
SHA-256: 82015ffc729488d3db266550d2f30257b2cfafd4a4db810efad5351b84b1371e
Size: 126.62 kB - rubygem-json-2.6.1-143.module+el8+1783+07f2bf63.i686.rpm
MD5: d3f92d425dd847b707521bd31f093086
SHA-256: 84e305693b2a57c9350b474d6e04655289664dcc980da5eeb9ade9fc36e8acf3
Size: 100.84 kB - rubygem-json-2.6.1-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: 8992083ee0da36200bf41dde8fc8cdac
SHA-256: 7a79ef6b6bccd3574e451d6696bedd3223dab9c96a3dcb687efe36fc8a085fc9
Size: 99.71 kB - rubygem-minitest-5.15.0-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 592c15358d35e7d6ba9df1b185143b37
SHA-256: d7952f5d4b722f5328db2b8bcea9ee97a5e3ff2d9437683fe62078e12d8e0030
Size: 133.69 kB - rubygem-mysql2-0.5.3-3.module+el8+1783+07f2bf63.x86_64.rpm
MD5: d4f5eb1ba31df3cfaf02e3883cc6482d
SHA-256: 30cc247118b728865400bd6a7cadd45de91a7943d5abe277d7f7e7cc7e4d75a1
Size: 45.10 kB - rubygem-mysql2-debugsource-0.5.3-3.module+el8+1783+07f2bf63.x86_64.rpm
MD5: 5832a9e6b270e29f2b49f98e9024f3f5
SHA-256: c9bb24fb5a9a68b791761035ac272f0fb82980a7ca95147956dbec74c96bb521
Size: 37.12 kB - rubygem-mysql2-doc-0.5.3-3.module+el8+1783+07f2bf63.noarch.rpm
MD5: 6289a2c102c0f22e585a3b1d70ba2eed
SHA-256: 2338cd93a80dc7defe11842255072f2fc44a4754522bc144cb7e1122b501e29a
Size: 305.54 kB - rubygem-pg-1.3.2-1.module+el8+1783+07f2bf63.x86_64.rpm
MD5: 7f0c873e1a8be444c2ed5b1be6483fd9
SHA-256: d467bfcb5cc647d137442848c7c6d392b2bd9b6c75132ce9e609fce9e322082a
Size: 109.69 kB - rubygem-pg-debugsource-1.3.2-1.module+el8+1783+07f2bf63.x86_64.rpm
MD5: 4b8171abffe343faa9a0d32aa976ea87
SHA-256: e39937fe5ec5f382833cb78a5e60ee7796445ada0b3343740c3d6cb72a5e42aa
Size: 100.08 kB - rubygem-pg-doc-1.3.2-1.module+el8+1783+07f2bf63.noarch.rpm
MD5: 49fc99413af15c572a975e85fb505b52
SHA-256: 2a24df9be0bab2d994e7a4599ea651cffee55751adc9883cb59978ed5c73846d
Size: 570.69 kB - rubygem-power_assert-2.0.1-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 7c3e8e68eb0d4af1c59a184bc4a249e0
SHA-256: a0b5c88ead47d30c34e358c3ea9674151db9a4f2a3a471aef63614ab73330bbf
Size: 70.55 kB - rubygem-psych-4.0.4-143.module+el8+1783+07f2bf63.i686.rpm
MD5: d98ab6f40db4a72ec63103598d3db170
SHA-256: 0d4ef193c30260bdc6a9ac1b92153f21f78547922ee1cca8a0496a14a59b9e3d
Size: 100.38 kB - rubygem-psych-4.0.4-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: f73146201490b29765db2e7396288399
SHA-256: 0ee5b4d90f4db31d92bf1f3af4c3d7b27eb9edb5793ac139463fc33f6529e280
Size: 99.17 kB - rubygem-rake-13.0.6-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: a4eb5b772253dce60107a62052b39b09
SHA-256: 242eaefdc1ea3f4985f50d1d6da45e9eaabc819ff2166a966a652ac4c28adef1
Size: 139.67 kB - rubygem-rbs-2.7.0-143.module+el8+1783+07f2bf63.i686.rpm
MD5: b30bb8b7fafbbd1b1aef58ceef07221a
SHA-256: 2c75abef1b11867f34d419b4acff7bca6d3988f5feba1468ce88ce2b08cf0754
Size: 909.84 kB - rubygem-rbs-2.7.0-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: b971b23c26fefe934b1dbcee0ff33df1
SHA-256: 9a3f451f25014856134785598960f7a682b3d062ba971ba3e55df5524196bad2
Size: 905.67 kB - rubygem-rdoc-6.4.1.1-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: ced2c77170b637d0845cc6ea194855e4
SHA-256: 1b5d193f58298642d557199456c80d043f00b2a58f8c0f801cdfb53c5b29fd94
Size: 517.99 kB - rubygem-rexml-3.2.5-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: a5ef0f42b6a1e5a4427cdf7dc619f405
SHA-256: 7e600e62693fce92287c6a3190700113140ce9b58f7ce4b66b011a775873312e
Size: 148.68 kB - rubygem-rss-0.2.9-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: a790014513894428e1df4abdbd4f309d
SHA-256: f377614d05c0423ba18f7af88d06b25bfd524a8fa5722c79d1564c978b3ed333
Size: 159.92 kB - rubygems-3.3.27-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 9638650ebc310cf99081957bffbbfb72
SHA-256: f79cc08e42223b6c1ac53ac329076b8f948def449fc62227ff46452b39a736c6
Size: 323.43 kB - rubygems-devel-3.3.27-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: deb8b4de301d6999802f490b9eb46d94
SHA-256: bb71b9c5c961b98925db19ce79f72a0804067c60d807b9a0ca4237e5378b323e
Size: 62.24 kB - rubygem-test-unit-3.5.3-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: ee2ad21e0f67ad7ad162c837fdef0781
SHA-256: 2941f41c0897cf42940e126dfd77df3f335a6003f7b7f7a4715db425b2e29bd4
Size: 147.04 kB - rubygem-typeprof-0.21.3-143.module+el8+1783+07f2bf63.noarch.rpm
MD5: 8ffe88e0f164d8f4e008cb5bb40cbfa1
SHA-256: 5d26b7789a48401dc89d48e2bb1bba6d0ecf5daee993e23ffaca2e9268a4ced4
Size: 126.10 kB - ruby-libs-3.1.5-143.module+el8+1783+07f2bf63.i686.rpm
MD5: 3e1c35a60587917c06fd24f2aa67099e
SHA-256: b5caef993134eea7bccd10f7c8bab2f044a0c501c6b9b7e41df199a6fba9c32e
Size: 3.35 MB - ruby-libs-3.1.5-143.module+el8+1783+07f2bf63.x86_64.rpm
MD5: edccd6ac3099d2f5b0aa195cd65a01f1
SHA-256: b8187b239e04632cc38738d6a480c2c2811ee81c68f94bdbdde960d054aa8763
Size: 3.27 MB
English