CVE-2024-27282

Name	CVE-2024-27282
Description	An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3858-1, DSA-5677-1, ELA-1148-1, ELA-1149-1, ELA-1150-1
Debian Bugs	1069968, 1069969

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby2.1 (PTS)	jessie, jessie (lts)	2.1.5-2+deb8u14	fixed
ruby2.3 (PTS)	stretch (security)	2.3.3-1+deb9u11	vulnerable
	stretch (lts), stretch	2.3.3-1+deb9u12	fixed
ruby2.5 (PTS)	buster, buster (lts)	2.5.5-3+deb10u7	fixed
	buster (security)	2.5.5-3+deb10u6	vulnerable
ruby2.7 (PTS)	bullseye	2.7.4-1+deb11u1	vulnerable
	bullseye (security)	2.7.4-1+deb11u2	fixed
ruby3.1 (PTS)	bookworm (security), bookworm	3.1.2-7+deb12u1	fixed
	sid, trixie	3.1.2-8.4	vulnerable
ruby3.2 (PTS)	sid	3.2.3-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
ruby2.1	source	jessie	2.1.5-2+deb8u14	ELA-1148-1
ruby2.1	source	(unstable)	(unfixed)
ruby2.3	source	stretch	2.3.3-1+deb9u12	ELA-1149-1
ruby2.3	source	(unstable)	(unfixed)
ruby2.5	source	buster	2.5.5-3+deb10u7	ELA-1150-1
ruby2.5	source	(unstable)	(unfixed)
ruby2.7	source	bullseye	2.7.4-1+deb11u2	DLA-3858-1
ruby2.7	source	(unstable)	(unfixed)
ruby3.1	source	bookworm	3.1.2-7+deb12u1	DSA-5677-1
ruby3.1	source	(unstable)	(unfixed)		1069969
ruby3.2	source	(unstable)	(unfixed)		1069968

Notes

https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a