There are security holes in the Ruby gems RDoc and StringIO. The Ruby project announced this in two security advisories. Developers and admins should check whether they are using current, bug-fixed versions of the gems and, if possible, install updates.
Advertisement
The presumably more dangerous of the two vulnerabilities (neither CVSS scores nor risk levels are currently known for the bugs) has the CVE ID CVE-2024-27281 and affects the Gem RDoc. While parsing the YAML file .rdoc_options
An attacker can inject objects by storing them in the file in appropriate notation. He can then execute his own code in the context of the Ruby program. A similar attack on the documentation cache can also lead to code execution.
Users of the RDoc gem should switch to the debugged output appropriate for their version of Ruby, namely:
- For Ruby 3.0:
rdoc
6.3.4.1 - For Ruby 3.1:
rdoc
6.4.1.1 - For Ruby 3.2:
rdoc
6.5.1.1
Memory leak in StringIO
The Gem StringIO, on the other hand, suffers from a “buffer overread”: the methods ungetbyte
and ungetc
read in memory beyond the actual end of their passing variable, which leads to unwanted information passing. This allows an attacker to view parts of the memory that he should not be aware of. The vulnerability has the CVE ID CVE-2024-27280 and is fixed in the following StringIO versions:
- For Ruby 3.0:
stringio
3.0.1.1 - For Ruby 3.1:
stringio
3.0.1.2
(cku)