new file mode 100644
@@ -0,0 +1,87 @@
+From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Mon, 10 Jun 2024 11:46:53 +0000
+Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
+
+CVE: CVE-2024-27280
+Upstream-Status: Backport [https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ ext/stringio/stringio.c | 2 +-
+ test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
+index 8df07e8..b2e8632 100644
+--- a/ext/stringio/stringio.c
++++ b/ext/stringio/stringio.c
+@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
+ len = RSTRING_LEN(str);
+ rest = pos - len;
+ if (cl > pos) {
+- long ex = (rest < 0 ? cl-pos : cl+rest);
++ long ex = cl - (rest < 0 ? pos : len);
+ rb_str_modify_expand(str, ex);
+ rb_str_set_len(str, len + ex);
+ s = RSTRING_PTR(str);
+diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
+index e0b4504..4853513 100644
+--- a/test/stringio/test_stringio.rb
++++ b/test/stringio/test_stringio.rb
+@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
+ assert_equal("b""\0""a", s.string)
+ end
+
++ def test_ungetc_fill
++ count = 100
++ s = StringIO.new
++ s.print 'a' * count
++ s.ungetc('b' * (count * 5))
++ assert_equal((count * 5), s.string.size)
++ assert_match(/\Ab+\z/, s.string)
++ end
++
+ def test_ungetbyte_pos
+ b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
+ s = StringIO.new( b )
+@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
+ assert_equal("b""\0""a", s.string)
+ end
+
++ def test_ungetbyte_fill
++ count = 100
++ s = StringIO.new
++ s.print 'a' * count
++ s.ungetbyte('b' * (count * 5))
++ assert_equal((count * 5), s.string.size)
++ assert_match(/\Ab+\z/, s.string)
++ end
++
+ def test_frozen
+ s = StringIO.new
+ s.freeze
+@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
+ end
+
+ def test_overflow
+- omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
++ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+ limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
+ assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+ begin;
+ limit = #{limit}
+ ary = []
+- while true
++ begin
+ x = "a"*0x100000
+ break if [x].pack("p").unpack("i!")[0] < 0
+ ary << x
+- omit if ary.size > 100
+- end
++ end while ary.size <= 100
+ s = StringIO.new(x)
+ s.gets("xxx", limit)
+ assert_equal(0x100000, s.pos)
+--
+2.40.0
@@ -34,6 +34,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://CVE-2023-36617_1.patch \
file://CVE-2023-36617_2.patch \
file://CVE-2024-27281.patch \
+ file://CVE-2024-27280.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"