♊️ GemiNews 🗞️
🏡
📰 Articles
🏷️ Tags
🧠 Queries
📈 Graphs
☁️ Stats
💁🏻 Assistant
Demo 1: Embeddings + Recommendation
Demo 2: Bella RAGa
Demo 3: NewRetriever
Demo 4: Assistant function calling
Editing article
Title
Summary
<p>We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-27280">CVE-2024-27280</a>.</p> <h2>Details</h2> <p>An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.</p> <p>The <code class="language-plaintext highlighter-rouge">ungetbyte</code> and <code class="language-plaintext highlighter-rouge">ungetc</code> methods on a StringIO can read past the end of a string, and a subsequent call to <code class="language-plaintext highlighter-rouge">StringIO.gets</code> may return the memory value.</p> <p>This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.</p> <h2>Recommended action</h2> <p>We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:</p> <ul> <li>For Ruby 3.0 users: Update to <code class="language-plaintext highlighter-rouge">stringio</code> 3.0.1.1</li> <li>For Ruby 3.1 users: Update to <code class="language-plaintext highlighter-rouge">stringio</code> 3.0.1.2</li> </ul> <p>Note: that StringIO 3.0.1.2 contains not only the fix for this vulnerability but also a bugfix for <a href="https://github.com/ruby/ruby/commit/1d24a931c458c93463da1d5885f33edef3677cc2">[Bug #19389]</a>.</p> <p>You can use <code class="language-plaintext highlighter-rouge">gem update stringio</code> to update it. If you are using bundler, please add <code class="language-plaintext highlighter-rouge">gem "stringio", ">= 3.0.1.2"</code> to your <code class="language-plaintext highlighter-rouge">Gemfile</code>.</p> <h2>Affected versions</h2> <ul> <li>Ruby 3.0.6 or lower</li> <li>Ruby 3.1.4 or lower</li> <li>StringIO gem 3.0.2 or lower</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/david_h1?type=user">david_h1</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-03-21 4:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 21 Mar 2024</p>
Content
Author
Link
Published date
Image url
Feed url
Guid
Hidden blurb
--- !ruby/object:Feedjira::Parser::RSSEntry published: 2024-03-21 04:00:00.000000000 Z carlessian_info: news_filer_version: 2 newspaper: Ruby (EN RSS) macro_region: Technology entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier guid: https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/ title: 'CVE-2024-27280: Buffer overread vulnerability in StringIO' categories: [] summary: |- <p>We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-27280">CVE-2024-27280</a>.</p> <h2>Details</h2> <p>An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.</p> <p>The <code class="language-plaintext highlighter-rouge">ungetbyte</code> and <code class="language-plaintext highlighter-rouge">ungetc</code> methods on a StringIO can read past the end of a string, and a subsequent call to <code class="language-plaintext highlighter-rouge">StringIO.gets</code> may return the memory value.</p> <p>This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.</p> <h2>Recommended action</h2> <p>We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:</p> <ul> <li>For Ruby 3.0 users: Update to <code class="language-plaintext highlighter-rouge">stringio</code> 3.0.1.1</li> <li>For Ruby 3.1 users: Update to <code class="language-plaintext highlighter-rouge">stringio</code> 3.0.1.2</li> </ul> <p>Note: that StringIO 3.0.1.2 contains not only the fix for this vulnerability but also a bugfix for <a href="https://github.com/ruby/ruby/commit/1d24a931c458c93463da1d5885f33edef3677cc2">[Bug #19389]</a>.</p> <p>You can use <code class="language-plaintext highlighter-rouge">gem update stringio</code> to update it. If you are using bundler, please add <code class="language-plaintext highlighter-rouge">gem "stringio", ">= 3.0.1.2"</code> to your <code class="language-plaintext highlighter-rouge">Gemfile</code>.</p> <h2>Affected versions</h2> <ul> <li>Ruby 3.0.6 or lower</li> <li>Ruby 3.1.4 or lower</li> <li>StringIO gem 3.0.2 or lower</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/david_h1?type=user">david_h1</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-03-21 4:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 21 Mar 2024</p> rss_fields: - title - url - summary - published - entry_id url: https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
Language
Active
Ricc internal notes
Imported via /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/import-feedjira.rb on 2024-04-03 16:31:19 +0200. Content is EMPTY here. Entried: title,url,summary,published,entry_id. TODO add Newspaper: filename = /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/../../../crawler/out/feedjira/Technology/Ruby (EN RSS)/2024-03-21-CVE-2024-27280:_Buffer_overread_vulnerability_in_StringIO-v2.yaml
Ricc source
Show this article
Back to articles