Draft for CVE-2024-27280

Author: hsbt

en/news/_posts/2024-03-21-buffer-overread-cve-2024-27280.md

@@ -0,0 +1,44 @@
+---
+layout: news_post
+title: "CVE-2024-27280: Buffer overread vulnerability in StringIO"
+author: "hsbt"
+translator:
+date: 2023-03-21 11:00:00 +0000
+tags: security
+lang: en
+---
+
+We have released the stringio gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability.
+This vulnerability has been assigned the CVE identifier [CVE-2024-27280](https://www.cve.org/CVERecord?id=CVE-2024-27280).
+
+## Details
+
+An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.
+
+The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.
+
+This vulnerability is not affected by Ruby 3.2.x and later.
+
+## Recommended action
+
+We recommend to update the stringio gem to version 3.0.1.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
+
+* For Ruby 3.0 users: Update to `stringio` 3.0.1.1
+
+StringIO-3.0.1.2 contained bugfix for [[Bug #19389]][https://github.com/ruby/ruby/commit/1d24a931c458c93463da1d5885f33edef3677cc2]. This fix has been backported to Ruby 3.1.4. But we didn't change stringio version from 3.0.1. Therefore, we released 3.0.1.2 to include the vulnerability fix.
+
+You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
+
+## Affected versions
+
+* Ruby 3.0.6 or lower
+* Ruby 3.1.4 or lower
+* StringIO gem 3.0.1 or lower
+
+## Credits
+
+Thanks to [david_h1](https://hackerone.com/david_h1?type=user) for discovering this issue.
+
+## History
+
+* Originally published at 2024-03-21 11:00:00 (UTC)