Bug 1833291 (CVE-2020-10933) - CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information disclosure
Summary: CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information di...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10933
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1833293 1835858 1835859 1835860 1835861 1954950 1955055 1957119 2055227 2055237
Blocks: 1833294
TreeView+ depends on / blocked
 
Reported: 2020-05-08 10:46 UTC by Dhananjay Arunesh
Modified: 2022-02-21 10:12 UTC (History)
21 users (show)

Fixed In Version: ruby 2.5.8, ruby 2.6.6, ruby 2.7.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-26 11:32:23 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2587 0 None None None 2021-06-29 16:03:31 UTC
Red Hat Product Errata RHSA-2021:2588 0 None None None 2021-06-29 16:04:31 UTC
Red Hat Product Errata RHSA-2022:0581 0 None None None 2022-02-21 10:11:11 UTC
Red Hat Product Errata RHSA-2022:0582 0 None None None 2022-02-21 10:12:11 UTC

Description Dhananjay Arunesh 2020-05-08 10:46:09 UTC
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

Comment 1 Dhananjay Arunesh 2020-05-08 10:49:08 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1833293]

Comment 3 Yadnyawalk Tale 2020-05-08 11:49:08 UTC
External References:

https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933

Comment 4 Marco Benatto 2020-05-14 15:43:01 UTC
Upstream commit for this issue:
https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90

Comment 6 Marco Benatto 2020-05-14 16:01:03 UTC
Statement:

Red Hat CloudForms 5 has stopped shipping Ruby and 4.7 ships Ruby 2.4 series, hence not vulnerable to the flaw.
Red Hat Enterprise Linux versions prior than 8 ships ruby 2.0 or older releases, hence not vulnerable to the flaw.

Comment 7 Marco Benatto 2020-05-15 14:26:47 UTC
There's an issue with BasicSocket non-blocking reading/receiving methods on Ruby. When reading or receiving data from a socket, Ruby users may opt to use non-blocking routines via BasicSocket#recv_nonblock and BasicSocket#read_nonblock. Both methods may take a buffer and buffer length as parameters and when called resizes the buffer to the informed length. During the socket reading if the functions enters on a situation where it'd block it returns without copying any data into the buffer. As the buffer was previously resized when returning with no data copied, the buffer will contain random pieces of information from process's heap. This flaw causes Low impact on Confidentiality as an attacker which leveraged that to an exploit cannot control which parts of information will be leaked from the heap.

Comment 9 Jun Aruga 2020-08-06 09:04:26 UTC
(In reply to Marco Benatto from comment #4)
> Upstream commit for this issue:
> https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90

https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
> Affected versions
>     Ruby 2.5 series: 2.5.7 and earlier
>     Ruby 2.6 series: 2.6.5 and earlier
>     Ruby 2.7 series: 2.7.0
>     prior to master revision 61b7f86248bd121be2e83768be71ef289e8e5b90

Note that the CVE-2020-10933 can also be fixed by upgrading Ruby to 2.7.1, 2.6.6 or 2.5.8.

https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/

Comment 12 errata-xmlrpc 2021-05-25 13:14:06 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104

Comment 13 Product Security DevOps Team 2021-05-26 11:32:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10933

Comment 14 errata-xmlrpc 2021-06-03 11:25:58 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230

Comment 15 errata-xmlrpc 2021-06-29 16:03:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587

Comment 16 errata-xmlrpc 2021-06-29 16:04:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588

Comment 17 errata-xmlrpc 2022-02-21 10:11:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581

Comment 18 errata-xmlrpc 2022-02-21 10:12:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582


Note You need to log in before you can comment on or make changes to this bug.