Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715620 (CVE-2020-10933)

Summary: <dev-lang/ruby-{2.4.10,2.5.8,2.6.6,2.7.1}: Heap exposure vulnerability in the socket library (CVE-2020-10933)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
dev-lang/ruby-2.4.10 dev-lang/ruby-2.5.8 amd64 arm arm64 x86 hppa s390 sparc
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2020-03-31 14:07:12 UTC
A heap exposure vulnerability was discovered in the socket library. This vulnerability has been assigned the CVE identifier CVE-2020-10933. We strongly recommend upgrading Ruby.
Details

When BasicSocket#recv_nonblock and BasicSocket#read_nonblock are invoked with size and buffer arguments, they initially resize the buffer to the specified size. In cases where the operation would block, they return without copying any data. Thus, the buffer string will now include arbitrary data from the heap. This may expose possibly sensitive data from the interpreter.

This issue is exploitable only on Linux. This issue had been since Ruby 2.5.0; 2.4 series is not vulnerable.
Affected versions

    Ruby 2.5 series: 2.5.7 and earlier
    Ruby 2.6 series: 2.6.5 and earlier
    Ruby 2.7 series: 2.7.0
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 14:30:35 UTC
Thanks for this.

The tree looks clean to me, so I think we just need to consider glsa or not. Is that right?
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 15:28:07 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #1)
> Thanks for this.
> 
> The tree looks clean to me, so I think we just need to consider glsa or not.
> Is that right?

Critical misreading. Thanks graaf for correcting me on IRC!

@maintainer(s), please create an appropriate ebuild.
Comment 3 Hans de Graaff gentoo-dev Security 2020-03-31 15:42:22 UTC
Ebuilds added for:

ruby-2.4.10
ruby-2.5.8
ruby-2.6.6
ruby-2.7.1

Given that the 2.4 and 2.5 versions contain minor other changes I'll wait a day or so before stabling these versions.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 19:00:57 UTC
(In reply to Hans de Graaff from comment #3)
> Ebuilds added for:
> 
> ruby-2.4.10
> ruby-2.5.8
> ruby-2.6.6
> ruby-2.7.1
> 
> Given that the 2.4 and 2.5 versions contain minor other changes I'll wait a
> day or so before stabling these versions.

Okay, great.
Comment 5 Hans de Graaff gentoo-dev Security 2020-04-01 09:02:54 UTC
Please test and mark stable.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 09:28:38 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-03 12:05:40 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-03 12:14:05 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-03 12:17:13 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-03 13:12:58 UTC
x86 stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 19:22:15 UTC
arm64 stable
Comment 12 Rolf Eike Beer archtester 2020-04-09 18:46:40 UTC
hppa stable
Comment 13 NATTkA bot gentoo-dev 2020-04-09 18:48:29 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-09 18:49:14 UTC
@maintainer(s), please cleanup
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-11 06:58:18 UTC
Correction: still waiting on ppc, ppc64.
Comment 16 Agostino Sarubbo gentoo-dev 2020-04-13 14:51:22 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2020-04-13 14:52:19 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 NATTkA bot gentoo-dev 2020-04-13 15:04:23 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 Hans de Graaff gentoo-dev Security 2020-04-14 05:50:49 UTC
Cleanup done.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 01:34:53 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].