Added CVE-2024-27280 for the stringio gem (issue #769).

postmodern · postmodern · commit 040177d18844 · 2024-03-24T17:38:36.000-07:00
diff --git a/gems/stringio/CVE-2024-27280.yml b/gems/stringio/CVE-2024-27280.yml
@@ -0,0 +1,28 @@
+---
+gem: stringio
+cve: 2024-27280
+url: https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
+title: Buffer overread vulnerability in StringIO
+date: 2024-03-21
+description: |
+  An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x
+  through 3.0.6 and 3.1.x through 3.1.4.
+
+  The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a
+  string, and a subsequent call to `StringIO.gets` may return the memory value.
+
+  This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x
+  and later.
+
+  We recommend to update the StringIO gem to version 3.0.3 or later. In order to
+  ensure compatibility with bundled version in older Ruby series, you may update
+  as follows instead:
+
+  * For Ruby 3.0 users: Update to `stringio` 3.0.1.1
+  * For Ruby 3.1 users: Update to `stringio` 3.0.1.2
+
+  You can use `gem update stringio` to update it. If you are using bundler,
+  please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
+patched_versions:
+  - "~> 3.0.1.1"
+  - ">= 3.0.1.2"
