A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
Weakness
The product calls free() twice on the same memory address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ruby | Ruby-lang | 3.0.0 (including) | 3.0.4 (excluding) |
| Ruby | Ruby-lang | 3.1.0 (including) | 3.1.2 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | ruby:3.0-8060020220810162001.ad008a3a | * |
| Red Hat Enterprise Linux 9 | RedHat | ruby-0:3.0.4-160.el9_0 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby30-ruby-0:3.0.4-149.el7 | * |
| Ruby3.0 | Ubuntu | jammy | * |
| Ruby3.0 | Ubuntu | upstream | * |
Potential Mitigations
References
- https://hackerone.com/reports/1220911
- https://security-tracker.debian.org/tracker/CVE-2022-28738
- https://security.gentoo.org/glsa/202401-27
- https://security.netapp.com/advisory/ntap-20220624-0002/
- https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/
- https://hackerone.com/reports/1220911
- https://security-tracker.debian.org/tracker/CVE-2022-28738
- https://security.gentoo.org/glsa/202401-27
- https://security.netapp.com/advisory/ntap-20220624-0002/
- https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/