Bug 26409

ruby-2.5.8-21.mga7.src.rpm submitted to 7/core/updates_testing

Build failed:
http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20200404211846.pterjan.duvel.46452/log/ruby-2.5.8-21.mga7/build.0.20200405050457.log

Yes and with different failures on aarch64 and armv7hl, and both are different from the one I have in cauldron :(

Cauldron was updated to 2.7.1

Status comment: Fixed upstream in 2.5.8 and 2.7.1 => Fixed upstream in 2.5.8
Version: Cauldron => 7
Source RPM: ruby-2.7.0-28.mga8.src.rpm, ruby-2.5.7-20.mga7.src.rpm => ruby-2.5.7-20.mga7.src.rpm

Fedora has issued an advisory for this today (May 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/

 ruby-2.5.8-21.mga7 is finally available updates_testing!

Advisory:
========================

Updated ruby packages fix security vulnerability:

An issue was discovered in Ruby through 2.5.7. If a victim calls
BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method
resizes the buffer to fit the requested size, but no data is copied. Thus, the
buffer string provides the previous value of the heap. This may expose possibly
sensitive data from the interpreter (CVE-2020-10933).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933
https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
========================

Updated packages in core/updates_testing:
========================
ruby-2.5.8-21.mga7
libruby2.5-2.5.8-21.mga7
ruby-doc-2.5.8-21.mga7
ruby-devel-2.5.8-21.mga7
ruby-openssl-2.1.2-21.mga7
ruby-power_assert-1.1.1-21.mga7
ruby-irb-2.5.8-21.mga7
ruby-did_you_mean-1.2.0-21.mga7
ruby-io-console-0.4.6-21.mga7
ruby-psych-3.0.2-21.mga7
ruby-net-telnet-0.1.1-21.mga7
ruby-test-unit-3.2.7-21.mga7
ruby-xmlrpc-0.3.0-21.mga7

from ruby-2.5.8-21.mga7.src.rpm

Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.5.8 => (none)

Whatever mirror I try: pckage not found.

CC: (none) => herman.viaene

Sorry, just noticed that my qarepo was pointing to version 6.

mga7, x86_64
Before update this very simple client/server copied from the ruby "Pickaxe" manual runs fine:

$ rpm -q ruby
ruby-2.5.7-20.mga7

$ cat bs.rb
require 'socket'
socket = UDPSocket.new
socket.bind( "127.0.0.1", 12121 )
loop do
  msg, sender = socket.recvfrom( 100 )
  host = sender[3]
  timestamp = Time.now
  puts "#{timestamp}: #{host} '#{msg}'"
  STDOUT.flush
end

[Terminal 1]
$ ruby bs.rb

In another terminal:
$ irb
irb(main):001:0> require 'socket'
=> true
irb(main):002:0> log = UDPSocket.new
=> #<UDPSocket:fd 9, AF_INET, 0.0.0.0, 0>
irb(main):003:0> log.connect( "127.0.0.1", 12121 )
=> 0
irb(main):004:0> log.print "Up and running"
=> nil
irb(main):005:0> log.print "Done! Over and out"
=> nil
irb(main):006:0> quit

[Terminal 1]
2020-07-06 10:04:00 +0100: 127.0.0.1 'Up and running'
2020-07-06 10:04:41 +0100: 127.0.0.1 'Done! Over and out'

Somebody who knows something about the BasickSocket library could probably construct a PoC test for CVE-2020-10933.  The length of the returned buffer could be checked and if it matches the requested size the whole buffer could be compared with the message string to see if it contains odd characters beyond the end of string.  Experimented with socket.read_nonblock but do not know if the fix is applied at that point.

buffer = "rubbish ......"
flag = socket.read_nonblock( 200, buffer, exception: false )
puts flag.class, flag.to_sym
puts buffer.length
puts buffer.slice( 0..199 )

$ ruby bsx.rb
Symbol
wait_readable
200
rubbish ......�#��#��#/#�G�lB0=98�A8�A��@�9�:90�A

------------------------------------------------------------------------------
Updated all the packages.

$ ruby --version
ruby 2.5.8p224 (2020-03-31 revision 67882) [x86_64-linux]

CVE-2020-10933
$ ruby bsx.rb
Symbol
wait_readable
14
rubbish ......

This was repeatable so it looks encouraging.

Tested ruby against an array of local scripts which mainly exercize boiler-plate code, various gems and ruby-tk calls.
One makes http requests and others interact with ffmpeg, get_iplayer, mplayer and vlc, deal with astronomical calculations and print directly to a wifi printer.  No regressions encountered, yet.

$ gem list
*** LOCAL GEMS ***
astro_moon (0.2)
coderay (1.1.3)
daemons (1.3.1)
did_you_mean (1.2.0)
eventmachine (1.2.7)
ffi (1.11.3)
glib2 (3.4.1)
gtk (0.1.0)
image_processing (1.11.0, 1.10.3, 1.10.2)
json (2.1.0)
.....

$ sudo gem install nokogiri
Fetching: mini_portile2-2.4.0.gem (100%)
Successfully installed mini_portile2-2.4.0
Fetching: nokogiri-1.10.9.gem (100%)
Building native extensions.  This could take a while...
Successfully installed nokogiri-1.10.9
Parsing documentation for mini_portile2-2.4.0
Installing ri documentation for mini_portile2-2.4.0
Parsing documentation for nokogiri-1.10.9
Installing ri documentation for nokogiri-1.10.9
Done installing documentation for mini_portile2, nokogiri after 1 seconds
2 gems installed

$ irb
irb(main):001:0> Dir.chdir( Dir.home+"/ruby/scriptlets" )
=> 0
irb(main):002:0> File.readlines( "jabberwocky" ).each { |line| puts line }
Twas brillig and the slithy toves
Did gyre and and gimble in the wabe.
All mimsy were the borogoves
And the mome raths outgrabe.


=> ["Twas brillig and the slithy toves\n", "Did gyre and and gimble in the wabe.\n", "All mimsy were the borogoves\n", "And the mome raths outgrabe.\n", "\n", "\n"]
irb(main):003:0> quit

$ irb
irb(main):001:0> plink = "Just a drop in the ocean"
=> "Just a drop in the ocean"
irb(main):002:0> puts plonk
Traceback (most recent call last):
        2: from /usr/bin/irb:11:in `<main>'
        1: from (irb):2
NameError (undefined local variable or method `plonk' for main:Object)
Did you mean?  plink

$ urpmq --whatrequires lib64ruby2.5 | sort -u | wc -l
70
$ strace -o paddb.trace ruby ~/bin/padlab
$ grep ruby paddb.trace | grep lib
.....
openat(AT_FDCWD, "/usr/lib64/ruby/enc/windows_1257.so", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/shift_jis.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/shift_jis.so", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/gbk.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/ruby/enc/gbk.so", O_RDONLY|O_CLOEXEC) = 10
openat(AT_FDCWD, "/usr/lib64/gems/ruby/tk-0.2.0/tkutil.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10
.....

$ strace -o calco.trace ~/bin/calco
$ grep lib calco.trace | grep -v "(No such" | grep -v tk > libs
$ less libs
openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "          /usr/lib64/libm-2.29.s"..., 1024) = 1024
.....

vim is listed, so...
$ strace -o vim.trace vim weather
$ cat vim.trace | grep lib | grep ruby | grep -v "No such"
openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3

Enough already.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

@Herman: comment 8.
Sorry, this was just on its way.

Great, saved me some headache how to test this!!!

Great work,guys! Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0285.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED