A heap exposure vulnerability was discovered in the socket library. This vulnerability has been assigned the CVE identifier CVE-2020-10933. We strongly recommend upgrading Ruby. Details When BasicSocket#recv_nonblock and BasicSocket#read_nonblock are invoked with size and buffer arguments, they initially resize the buffer to the specified size. In cases where the operation would block, they return without copying any data. Thus, the buffer string will now include arbitrary data from the heap. This may expose possibly sensitive data from the interpreter. This issue is exploitable only on Linux. This issue had been since Ruby 2.5.0; 2.4 series is not vulnerable. Affected versions Ruby 2.5 series: 2.5.7 and earlier Ruby 2.6 series: 2.6.5 and earlier Ruby 2.7 series: 2.7.0
Thanks for this. The tree looks clean to me, so I think we just need to consider glsa or not. Is that right?
(In reply to Sam James (sam_c) (security padawan) from comment #1) > Thanks for this. > > The tree looks clean to me, so I think we just need to consider glsa or not. > Is that right? Critical misreading. Thanks graaf for correcting me on IRC! @maintainer(s), please create an appropriate ebuild.
Ebuilds added for: ruby-2.4.10 ruby-2.5.8 ruby-2.6.6 ruby-2.7.1 Given that the 2.4 and 2.5 versions contain minor other changes I'll wait a day or so before stabling these versions.
(In reply to Hans de Graaff from comment #3) > Ebuilds added for: > > ruby-2.4.10 > ruby-2.5.8 > ruby-2.6.6 > ruby-2.7.1 > > Given that the 2.4 and 2.5 versions contain minor other changes I'll wait a > day or so before stabling these versions. Okay, great.
Please test and mark stable.
arm stable
amd64 stable
s390 stable
sparc stable
x86 stable
arm64 stable
hppa stable
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
@maintainer(s), please cleanup
Correction: still waiting on ppc, ppc64.
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].