CVE-2024-27280
Publication date 14 May 2024
Last updated 24 July 2024
Ubuntu priority
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ruby2.3 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 16.04 LTS xenial |
Needs evaluation
|
|
| ruby2.5 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| ruby2.7 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Fixed 2.7.0-5ubuntu1.14
|
|
| ruby3.0 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Fixed 3.0.2-7ubuntu2.7
|
|
| 20.04 LTS focal | Not in release | |
| ruby3.1 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| ruby3.2 | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Notes
References
Related Ubuntu Security Notices (USN)
- USN-6853-1
- Ruby vulnerability
- 26 June 2024