Merge branch 'CVE-2024-27280-stringio'

Author: hsbt

en/news/_posts/2024-03-21-buffer-overread-cve-2024-27280.md

@@ -0,0 +1,45 @@
+---
+layout: news_post
+title: "CVE-2024-27280: Buffer overread vulnerability in StringIO"
+author: "hsbt"
+translator:
+date: 2023-03-21 11:00:00 +0000
+tags: security
+lang: en
+---
+
+We have released the StringIO gem version 3.0.1.1 and 3.0.1.2 that have a security fix for a buffer overread vulnerability.
+This vulnerability has been assigned the CVE identifier [CVE-2024-27280](https://www.cve.org/CVERecord?id=CVE-2024-27280).
+
+## Details
+
+An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.
+
+The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value.
+
+This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.
+
+## Recommended action
+
+We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
+
+* For Ruby 3.0 users: Update to `stringio` 3.0.1.1
+* For Ruby 3.1 users: Update to `stringio` 3.0.1.2
+
+Note: hat StringIO 3.0.1.2 contains not only the fix for this vulnerability but also a bugfix for [[Bug #19389]][https://github.com/ruby/ruby/commit/1d24a931c458c93463da1d5885f33edef3677cc2].
+
+You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
+
+## Affected versions
+
+* Ruby 3.0.6 or lower
+* Ruby 3.1.4 or lower
+* StringIO gem 3.0.2 or lower
+
+## Credits
+
+Thanks to [david_h1](https://hackerone.com/david_h1?type=user) for discovering this issue.
+
+## History
+
+* Originally published at 2024-03-21 11:00:00 (UTC)