Added CVE-2026-27820 for the zlib gem (#1010)

Author: jasnow

gems/zlib/CVE-2026-27820.yml

@@ -0,0 +1,48 @@
+---
+gem: zlib
+cve: 2026-27820
+url: https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820
+title: Buffer overflow vulnerability in Zlib::GzipReader
+date: 2026-03-05
+description: |
+  A buffer overflow vulnerability exists in Zlib::GzipReader.
+  This vulnerability has been assigned the CVE identifier
+  CVE-2026-27820. We recommend upgrading the zlib gem.
+
+  ## Details
+
+  The zstream_buffer_ungets function prepends caller-provided bytes
+  ahead of previously produced output but fails to guarantee the
+  backing Ruby string has enough capacity before the memmove shifts
+  the existing data. This can lead to memory corruption when the
+  buffer length exceeds capacity.
+
+  ## Recommended action
+
+  We recommend to update the zlib gem to version 3.2.3 or later.
+  In order to ensure compatibility with bundled version in older
+  Ruby series, you may update as follows instead:
+
+  * For Ruby 3.2 users: Update to zlib 3.0.1
+  * For Ruby 3.3 users: Update to zlib 3.1.2
+  * You can use gem update zlib to update it. If you are using
+     bundler, please add gem "zlib", ">= 3.2.3" to your Gemfile.
+
+  ## Affected versions:
+
+  zlib gem 3.2.2 or lower
+
+  ## Credits
+
+  Thanks to calysteon for reporting this issue. Also thanks to
+  nobu for creating the patch.
+patched_versions:
+  - "~> 3.0.1"
+  - "~> 3.1.2"
+  - ">= 3.2.3"
+related:
+  url:
+    - https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820
+    - https://rubygems.org/gems/zlib/versions/3.2.3
+    - https://rubygems.org/gems/zlib/versions/3.1.2
+    - https://rubygems.org/gems/zlib/versions/3.0.1