File tree 1 file changed +35
-0
lines changed
1 file changed +35
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2024-27280 (stringio): Buffer overread vulnerability in StringIO'
4+ comments : false
5+ categories :
6+ - stringio
7+ advisory :
8+ gem : stringio
9+ cve : 2024-27280
10+ url : https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
11+ title : Buffer overread vulnerability in StringIO
12+ date : 2024-03-21
13+ description : |
14+ An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x
15+ through 3.0.6 and 3.1.x through 3.1.4.
16+
17+ The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a
18+ string, and a subsequent call to `StringIO.gets` may return the memory value.
19+
20+ This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x
21+ and later.
22+
23+ We recommend to update the StringIO gem to version 3.0.3 or later. In order to
24+ ensure compatibility with bundled version in older Ruby series, you may update
25+ as follows instead:
26+
27+ * For Ruby 3.0 users: Update to `stringio` 3.0.1.1
28+ * For Ruby 3.1 users: Update to `stringio` 3.0.1.2
29+
30+ You can use `gem update stringio` to update it. If you are using bundler,
31+ please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
32+ patched_versions :
33+ - " ~> 3.0.1.1"
34+ - " >= 3.0.1.2"
35+ ---
You can’t perform that action at this time.
0 commit comments