ruby-3.3.1

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

This is a security release, fixing three security vulnerabilities:

• CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
• CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
• CVE-2024-27280: Buffer overread vulnerability in StringIO

The rest of the release notes:

    Update net-* gems for Ruby 3.3 by hsbt · Pull Request #9418
    Bug #20086: Windows memory mapped file IO::Buffer is buggy.
    Bug #20083: String#match? behaving inconsistently with Ruby 3.3.0
    Bug #20094: Inline while loop behavior changed unexpectedly in 3.3.0
    Bug #20090: Anonymous arguments are now syntax errors in unambiguous cases
    Bug #20104: Regexp#match returns nil but allocates T_MATCH objects
    Bug #20145: Memory leak when duplicating identhash
    Bug #20149: Fix memory leak in IPSocket rb_getaddrinfo
    Bug #20157: Regression in GC.measure_total_time
    Backport bundled_gems.rb for Ruby 3.3 by hsbt · Pull Request #9457
    Bug #20173: Backport 597955a, 8b65d15
    Bug #20162: Memory leak when duplicating too complex object
    Fix test session reuse but expire by nurse · Pull Request #9824
    Bug #20172: Socket.addrinfo failing randomly
    Bug #20178: Out of bounds stack read on Array#first when built with -O0
    YJIT: reduce default exec mem size to 48MiB by maximecb · Pull Request #9692
    Backport #9415 to ruby_3_3 by k0kubun · Pull Request #9424
    Bug #19542: Operations on zero-sized IO::Buffer are raising
    Bug #20231: Don't wait in io_binwrite_string if not necessary.
    Bug #20085: Fiber.new{ }.resume causes Segmentation fault for Ruby 3.3.0 on aarch64-
linux
    Merge RubyGems 3.5.5 and Bundler 2.5.5 by hsbt · Pull Request #9676
    Bug #20214: Backport https://github.com/ruby/ruby/pull/9711 to fix exits on Ruby 
3.3's new instruction
    Bug #20096: Ruby 3.2.2 win32/registry: Junk appended to Windows Registry String 
Value
    Bug #20161: Memory leak in regexp grapheme clusters
    Feature #19982: Bump required Visual Studio version to 2015 after 3.3
    Bug #20198: Threaded DNS resolver does not propagate errno to the calling thread
    Bug #20150: Memory leak in grapheme clusters
    Bug #20209: YJIT can leak memory by retaining objects with singleton class
    Backport #9498 to Ruby 3.3 by krk · Pull Request #9805
    Bug #20208: Net::HTTP errors with Errno::EAFNOSUPPORT when setting local_host with 
Addrinfo
    Bug #20098: Wrong regexp match in ruby 3.2 and 3.3
    Bug #20194: Memory leak with TracePoint on bmethod
    Bug #20197: Postponed job invocations are significantly reduced in Ruby 3.3
    Bug #20213: zsuper with keyword splat without explicit keywords incorrectly uses 
mutable keyword splat
    Bug #20190: invalid_encoding_string << number should be valid encoding in some case, 
but does not
    Bug #20228: Memory leak in Regexp timeout
    Bug #20207: Segmentation fault for a regexp containing positive and negative 
lookaheads
    Bug #20245: Crash when checking symbol encoding
    Bug #20246: Unexpected behavior for Regexp in Subexpression Calls on Ruby 3.3.0
    Bug #20183: erb/escape.so cannot be loaded when --with-static-linked-ext
    Bug #20250: Crash with "Object ID seen, but not in mapping table: proc" error
    Bug #20327: Time.new behaves differently when passing a zone as timezone object
    Bug #19907: Method calls with keyword arguments in eval leaks callcache and callinfo 
objects
    Bug #20311: Struct.new("A") memory leak?
    CVE-2024-27281 for Ruby 3.3 by hsbt · Pull Request #10316
    Bug #20304: Memory leak when setting Encoding.default_internal
    Bug #20324: (1..).overlap?('foo'..) returns true
    Backport https://github.com/ruby/ruby/pull/10347 by hsbt · Pull Request #10349
    Merge RubyGems 3.5.9 and Bundler 2.5.9 (Fixed CI at Ruby 3.3) by hsbt · Pull Request 
#10348

[Douglas R. Reno]

Marking High because we have an RCE issue

[Douglas R. Reno]

Fixed at 27f695541de7bceddaaba6a5949c54a7c9784386

SA-12.1-035 issued