CVE-2024-27282

NameCVE-2024-27282
DescriptionAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5677-1
Debian Bugs1069968, 1069969

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.5 (PTS)buster2.5.5-3+deb10u4vulnerable
buster (security)2.5.5-3+deb10u6vulnerable
ruby2.7 (PTS)bullseye (security), bullseye2.7.4-1+deb11u1vulnerable
ruby3.1 (PTS)bookworm3.1.2-7vulnerable
bookworm (security)3.1.2-7+deb12u1fixed
trixie, sid3.1.2-8.3vulnerable
ruby3.2 (PTS)sid3.2.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.5source(unstable)(unfixed)
ruby2.7source(unstable)(unfixed)
ruby3.1sourcebookworm3.1.2-7+deb12u1DSA-5677-1
ruby3.1source(unstable)(unfixed)1069969
ruby3.2source(unstable)(unfixed)1069968

Notes

https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a

Search for package or bug name: Reporting problems