[FREEBSD:F22144D7-BAD1-11EC-9CFE-0800270512F4] Ruby -- Double free in Regexp compilation

Severity Critical

Affected Packages 4

CVEs 1

piao reports:

    Due to a bug in the Regexp compilation process, creating
    a Regexp object with a crafted source string could cause
    the same memory to be freed twice. This is known as a
    "double free" vulnerability. Note that, in general, it
    is considered unsafe to create and use a Regexp object
    generated from untrusted input. In this case, however,
    following a comprehensive assessment, we treat this issue
    as a vulnerability.

Package	Affected Version
pkg:freebsd/ruby32	< 3.2.0.p1_1,1
pkg:freebsd/ruby31	< 3.1.2,1
pkg:freebsd/ruby30	< 3.0.4,1
pkg:freebsd/ruby	< 3.0.4,1

ID

FREEBSD:F22144D7-BAD1-11EC-9CFE-0800270512F4

Severity

critical

Severity from

CVE-2022-28738

URL

http://vuxml.freebsd.org/freebsd/f22144d7-bad1-11ec-9cfe-0800270512f4.html

Published

2022-04-12T00:00:00
(2 years ago)

Modified

2022-04-13T00:00:00
(2 years ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/ruby32	ruby32	< 3.2.0.p1_1,1
Affected	pkg:freebsd/ruby31	ruby31	< 3.1.2,1
Affected	pkg:freebsd/ruby30	ruby30	< 3.0.4,1
Affected	pkg:freebsd/ruby	ruby	< 3.0.4,1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date