GHSA SYNC: Advisories (2 mruby and 1 mrubyc brand new) plus schema change

rubies/mruby/CVE-2025-12875.yml

@@ -0,0 +1,35 @@
+---
+engine: mruby
+cve: 2025-12875
+ghsa: q269-xqww-45mm
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-12875
+title: Out-of-bounds write vulnerability
+date: 2025-11-07
+description: |
+  A weakness has been identified in mruby 3.4.0. This vulnerability
+  affects the function ary_fill_exec of the file
+  mrbgems/mruby-array-ext/src/array.c. Executing manipulation of
+  the argument start/length can lead to out-of-bounds write. The
+  attack needs to be launched locally. The exploit has been made
+  available to the public and could be exploited.
+  This patch is called 93619f06dd378db6766666b30c08978311c7ec94.
+  It is best practice to apply a patch to resolve this issue.
+
+  ## RELEASE INFO
+  - Commit 93619f0 10/22//2025 for ISS#6650 (Found in
+    unreleased mruby3.5 NEWS.md file)
+cvss_v2: 4.3
+cvss_v3: 7.8
+cvss_v4: 4.8
+patched_versions:
+  - ">= 3.5.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-12875
+    - https://github.com/mruby/mruby/blob/master/NEWS.md
+    - https://github.com/mruby/mruby/commit/93619f06dd378db6766666b30c08978311c7ec94
+    - https://github.com/mruby/mruby/issues/6650
+    - https://vuldb.com/?ctiid.331511
+    - https://vuldb.com/?id.331511
+    - https://vuldb.com/?submit.680879
+    - https://github.com/advisories/GHSA-q269-xqww-45mm

rubies/mruby/CVE-2025-13120.yml

@@ -0,0 +1,35 @@
+---
+engine: mruby
+cve: 2025-13120
+ghsa: j383-q79v-268x
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-13120
+title: Use-after-realloc vulnerablity in mruby 3.4.0
+date: 2025-11-13
+description: |
+  A vulnerability has been found in mruby up to 3.4.0. This
+  vulnerability affects the function sort_cmp of the file src/array.c.
+  Such manipulation leads to use after free. An attack has to be
+  approached locally. The exploit has been disclosed to the public
+  and may be used.
+  The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc.
+  It is advisable to implement a patch to correct this issue.
+
+  ## RELEASE INFO
+  - Commit eb39897 10/27//2025 for ISS#6649 (Found in
+    unreleased mruby3.5 NEWS.md file)
+cvss_v2: 4.3
+cvss_v3: 5.5
+cvss_v4: 4.8
+patched_versions:
+  - ">= 3.5.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-13120
+    - https://github.com/mruby/mruby/blob/master/NEWS.md
+    - https://github.com/mruby/mruby/commit/eb398971bfb43c38db3e04528b68ac9a7ce509bc
+    - https://github.com/mruby/mruby/issues/6649
+    - https://github.com/makesoftwaresafe/mruby/pull/263
+    - https://vuldb.com/?ctiid.332325
+    - https://vuldb.com/?id.332325
+    - https://vuldb.com/?submit.683435
+    - https://github.com/advisories/GHSA-j383-q79v-268x

rubies/mrubyc/CVE-2025-13397.yml

@@ -0,0 +1,31 @@
+---
+engine: mrubyc
+cve: 2025-13397
+ghsa: 99jr-qh2r-jwfm
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-13397
+title: null pointer dereference vulnerability in mrubyc 3.4
+date: 2025-11-19
+description: |
+  A security vulnerability has been detected in mrubyc up to 3.4.
+  This impacts the function mrbc_raw_realloc of the file src/alloc.c.
+  Such manipulation of the argument ptr leads to null pointer
+  dereference. An attack has to be approached locally.
+  The name of the patch is 009111904807b8567262036bf45297c3da8f1c87.
+  It is advisable to implement a patch to correct this issue.
+
+  ## RELEASE INFO
+  - Release 3.4 commit stopped on 6/26/2025 and ommit 0091119 was
+    on 10/14/2025 so not in 3.4. Do not see any CHANGELOG or NEWS files.
+cvss_v2: .17
+cvss_v3: 5.5
+cvss_v4: 4.8
+notes: "Never patched"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-13397
+    - https://github.com/mrubyc/mrubyc/commit/009111904807b8567262036bf45297c3da8f1c87
+    - https://github.com/mrubyc/mrubyc/issues/244
+    - https://vuldb.com/?ctiid.332925
+    - https://vuldb.com/?id.332925
+    - https://vuldb.com/?submit.692130
+    - https://github.com/advisories/GHSA-99jr-qh2r-jwfm

spec/schemas/ruby.yml

@@ -4,7 +4,7 @@ mapping:
   "engine":
     type: str
     required: true
-    enum: [jruby, rbx, ruby, mruby]
+    enum: [jruby, rbx, ruby, mruby, mrubyc]
   "platform":
     type: str
   "cve":