Bug 1833291 (CVE-2020-10933)

Summary: CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information disclosure
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, dmetzger, gmccullo, gtanzill, hhorak, jaruga, jfrey, jhardy, jorton, mo, mtasaka, pvalena, roliveri, ruby-maint, ruby-packagers-sig, simaishi, smallamp, s, strzibny, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 2.5.8, ruby 2.6.6, ruby 2.7.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 11:32:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1833293, 1835858, 1835859, 1835860, 1835861, 1954950, 1955055, 1957119, 2055227, 2055237    
Bug Blocks: 1833294    

Description Dhananjay Arunesh 2020-05-08 10:46:09 UTC 
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
Comment 1 Dhananjay Arunesh 2020-05-08 10:49:08 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1833293]
Comment 3 Yadnyawalk Tale 2020-05-08 11:49:08 UTC 
External References:

https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933
Comment 4 Marco Benatto 2020-05-14 15:43:01 UTC 
Upstream commit for this issue:
https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90
Comment 6 Marco Benatto 2020-05-14 16:01:03 UTC 
Statement:

Red Hat CloudForms 5 has stopped shipping Ruby and 4.7 ships Ruby 2.4 series, hence not vulnerable to the flaw.
Red Hat Enterprise Linux versions prior than 8 ships ruby 2.0 or older releases, hence not vulnerable to the flaw.
Comment 7 Marco Benatto 2020-05-15 14:26:47 UTC 
There's an issue with BasicSocket non-blocking reading/receiving methods on Ruby. When reading or receiving data from a socket, Ruby users may opt to use non-blocking routines via BasicSocket#recv_nonblock and BasicSocket#read_nonblock. Both methods may take a buffer and buffer length as parameters and when called resizes the buffer to the informed length. During the socket reading if the functions enters on a situation where it'd block it returns without copying any data into the buffer. As the buffer was previously resized when returning with no data copied, the buffer will contain random pieces of information from process's heap. This flaw causes Low impact on Confidentiality as an attacker which leveraged that to an exploit cannot control which parts of information will be leaked from the heap.
Comment 9 Jun Aruga 2020-08-06 09:04:26 UTC 
(In reply to Marco Benatto from comment #4)
> Upstream commit for this issue:
> https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90

https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
> Affected versions
>     Ruby 2.5 series: 2.5.7 and earlier
>     Ruby 2.6 series: 2.6.5 and earlier
>     Ruby 2.7 series: 2.7.0
>     prior to master revision 61b7f86248bd121be2e83768be71ef289e8e5b90

Note that the CVE-2020-10933 can also be fixed by upgrading Ruby to 2.7.1, 2.6.6 or 2.5.8.

https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
Comment 12 errata-xmlrpc 2021-05-25 13:14:06 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
Comment 13 Product Security DevOps Team 2021-05-26 11:32:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10933
Comment 14 errata-xmlrpc 2021-06-03 11:25:58 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
Comment 15 errata-xmlrpc 2021-06-29 16:03:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
Comment 16 errata-xmlrpc 2021-06-29 16:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
Comment 17 errata-xmlrpc 2022-02-21 10:11:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
Comment 18 errata-xmlrpc 2022-02-21 10:12:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582