An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1833293]
External References: https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933
Upstream commit for this issue: https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90
Statement: Red Hat CloudForms 5 has stopped shipping Ruby and 4.7 ships Ruby 2.4 series, hence not vulnerable to the flaw. Red Hat Enterprise Linux versions prior than 8 ships ruby 2.0 or older releases, hence not vulnerable to the flaw.
There's an issue with BasicSocket non-blocking reading/receiving methods on Ruby. When reading or receiving data from a socket, Ruby users may opt to use non-blocking routines via BasicSocket#recv_nonblock and BasicSocket#read_nonblock. Both methods may take a buffer and buffer length as parameters and when called resizes the buffer to the informed length. During the socket reading if the functions enters on a situation where it'd block it returns without copying any data into the buffer. As the buffer was previously resized when returning with no data copied, the buffer will contain random pieces of information from process's heap. This flaw causes Low impact on Confidentiality as an attacker which leveraged that to an exploit cannot control which parts of information will be leaked from the heap.
(In reply to Marco Benatto from comment #4) > Upstream commit for this issue: > https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90 https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/ > Affected versions > Ruby 2.5 series: 2.5.7 and earlier > Ruby 2.6 series: 2.6.5 and earlier > Ruby 2.7 series: 2.7.0 > prior to master revision 61b7f86248bd121be2e83768be71ef289e8e5b90 Note that the CVE-2020-10933 can also be fixed by upgrading Ruby to 2.7.1, 2.6.6 or 2.5.8. https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10933
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582