From bb0622bad82faa1bb567aaf5953e043a1822cd0f Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 23 Jan 2026 14:48:30 -0500 Subject: [PATCH 1/4] GHSA SYNC: 1 modified and 1 brand new advisory --- rubies/mruby/CVE-2025-7207.yml | 42 ++++++++++++++++++++++++++++++++++ rubies/ruby/CVE-2024-27282.yml | 12 ++++++++++ 2 files changed, 54 insertions(+) create mode 100644 rubies/mruby/CVE-2025-7207.yml diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml new file mode 100644 index 0000000000..f9e57aa74e --- /dev/null +++ b/rubies/mruby/CVE-2025-7207.yml @@ -0,0 +1,42 @@ +--- +engine: mruby +cve: 2025-7207 +ghsa: 48pr-6hvf-39v3 +url: https://nvd.nist.gov/vuln/detail/CVE-2025-7207 +title: Heap-based buffer overflow vulnerability in mruby 3.4.0-rc2 +date: 2025-07-08 +description: | + A vulnerability, which was classified as problematic, was found + in mruby up to 3.4.0-rc2. Affected is the function scope_new of + the file mrbgems/mruby-compiler/core/codegen.c of the component + nregs Handler. The manipulation leads to heap-based buffer overflow. + An attack has to be approached locally. The exploit has been + disclosed to the public and may be used. The name of the patch + is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended + to apply a patch to fix this issue. + + - Text (not a link) + - https://github.com/user-attachments/files/19619499/mruby_crash.txt + + ## RELEASE NOTES + - Found Issue #6509 listed in **unreleased** mruby 3.5 NEWS.md + file listed below. +cvss_v2: 1.7 +cvss_v3: 5.5 +cvss_v4: 4.4 +patched_versions: + - ">= 3.5.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-7207 + - https://github.com/mruby/mruby/blob/master/NEWS.md + - https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9 + - https://github.com/mruby/mruby/issues/6509#event-17145516649 + - https://github.com/mruby/mruby/issues/6509 + - https://vuldb.com/?ctiid.315156 + - https://vuldb.com/?id.315156 + - https://vuldb.com/?submit.607683 + - https://www.wiz.io/vulnerability-database/cve/cve-2025-7207 + - https://github.com/advisories/GHSA-48pr-6hvf-39v3 +notes: | + - mruby 3.5.0 has not be released as 1/23/2026. diff --git a/rubies/ruby/CVE-2024-27282.yml b/rubies/ruby/CVE-2024-27282.yml index d4a9f581f8..f35f36759f 100644 --- a/rubies/ruby/CVE-2024-27282.yml +++ b/rubies/ruby/CVE-2024-27282.yml @@ -1,6 +1,7 @@ --- engine: ruby cve: 2024-27282 +ghsa: 63cq-cj6g-qfr2 url: https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/ title: Arbitrary memory address read vulnerability with Regex search date: 2024-04-23 @@ -15,8 +16,19 @@ description: | * For Ruby 3.1 users: Update to 3.1.5 * For Ruby 3.2 users: Update to 3.2.4 * For Ruby 3.3 users: Update to 3.3.1 +cvss_v3: 6.6 patched_versions: - "~> 3.0.7" - "~> 3.1.5" - "~> 3.2.4" - ">= 3.3.1" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-27282 + - https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282 + - https://hackerone.com/reports/2122624 + - https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N + - https://security.netapp.com/advisory/ntap-20241011-0007 + - https://github.com/advisories/GHSA-63cq-cj6g-qfr2 From 201cf82b70c0c5d535bbf9ccbd8345ab4c80404d Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sat, 31 Jan 2026 08:14:48 -0500 Subject: [PATCH 2/4] Remove non-functional link from CVE-2025-7207.yml Removed a non-functional link from the CVE YAML file. --- rubies/mruby/CVE-2025-7207.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml index f9e57aa74e..0a61b884cf 100644 --- a/rubies/mruby/CVE-2025-7207.yml +++ b/rubies/mruby/CVE-2025-7207.yml @@ -15,9 +15,6 @@ description: | is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended to apply a patch to fix this issue. - - Text (not a link) - - https://github.com/user-attachments/files/19619499/mruby_crash.txt - ## RELEASE NOTES - Found Issue #6509 listed in **unreleased** mruby 3.5 NEWS.md file listed below. From 3cf1458e974b4008e7be6fc578de77df2281d37e Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sat, 31 Jan 2026 08:21:00 -0500 Subject: [PATCH 3/4] Update CVE-2025-7207.yml with patch notes --- rubies/mruby/CVE-2025-7207.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml index 0a61b884cf..21a2a8f10d 100644 --- a/rubies/mruby/CVE-2025-7207.yml +++ b/rubies/mruby/CVE-2025-7207.yml @@ -21,8 +21,7 @@ description: | cvss_v2: 1.7 cvss_v3: 5.5 cvss_v4: 4.4 -patched_versions: - - ">= 3.5.0" +notes: "Never patched" related: url: - https://nvd.nist.gov/vuln/detail/CVE-2025-7207 From d756f4c2c5be87d56fdf10803edf05df51aefcea Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sat, 31 Jan 2026 08:24:03 -0500 Subject: [PATCH 4/4] Combine 2 notes: fields into one. Updated notes to clarify that mruby 3.5.0 has not been released as of 1/23/2026. --- rubies/mruby/CVE-2025-7207.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml index 21a2a8f10d..d8f1aaf479 100644 --- a/rubies/mruby/CVE-2025-7207.yml +++ b/rubies/mruby/CVE-2025-7207.yml @@ -21,7 +21,7 @@ description: | cvss_v2: 1.7 cvss_v3: 5.5 cvss_v4: 4.4 -notes: "Never patched" +notes: "Never patched - mruby 3.5.0 has not be released as 1/23/2026." related: url: - https://nvd.nist.gov/vuln/detail/CVE-2025-7207 @@ -34,5 +34,3 @@ related: - https://vuldb.com/?submit.607683 - https://www.wiz.io/vulnerability-database/cve/cve-2025-7207 - https://github.com/advisories/GHSA-48pr-6hvf-39v3 -notes: | - - mruby 3.5.0 has not be released as 1/23/2026.