You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: en/news/_posts/2024-03-21-buffer-overread-cve-2024-27280.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,32 +8,33 @@ tags: security
8
8
lang: en
9
9
---
10
10
11
-
We have released the stringio gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability.
11
+
We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability.
12
12
This vulnerability has been assigned the CVE identifier [CVE-2024-27280](https://www.cve.org/CVERecord?id=CVE-2024-27280).
13
13
14
14
## Details
15
15
16
16
An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.
17
17
18
-
The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.
18
+
The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value.
19
19
20
-
This vulnerability is not affected by Ruby 3.2.x and later.
20
+
This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.
21
21
22
22
## Recommended action
23
23
24
-
We recommend to update the stringio gem to version 3.0.1.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
24
+
We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
25
25
26
26
* For Ruby 3.0 users: Update to `stringio` 3.0.1.1
27
+
* For Ruby 3.1 users: Update to `stringio` 3.0.1.2
27
28
28
-
StringIO-3.0.1.2 contained bugfix for [[Bug #19389]][https://github.com/ruby/ruby/commit/1d24a931c458c93463da1d5885f33edef3677cc2]. This fix has been backported to Ruby 3.1.4. But we didn't change stringio version from 3.0.1. Therefore, we released 3.0.1.2 to include the vulnerability fix.
29
+
StringIO3.0.1.2 contained bugfix for [[Bug #19389]][https://github.com/ruby/ruby/commit/1d24a931c458c93463da1d5885f33edef3677cc2]. This fix has been backported to Ruby 3.1.4. But we didn't change stringio version from 3.0.1. Therefore, we released 3.0.1.2 to include the vulnerability fix.
29
30
30
31
You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
0 commit comments