From ff335ef96a9e788b1721bf70db27c8ca6e489d59 Mon Sep 17 00:00:00 2001 From: hht8 Date: Fri, 15 May 2020 17:07:25 +0800 Subject: [PATCH] fix CVE-2020-10933 --- CVE-2020-10933.patch | 88 ++++++++++++++++++++++++++++++++++++++++++++ ruby.spec | 10 ++++- 2 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-10933.patch diff --git a/CVE-2020-10933.patch b/CVE-2020-10933.patch new file mode 100644 index 0000000..27be38b --- /dev/null +++ b/CVE-2020-10933.patch @@ -0,0 +1,88 @@ +From 61b7f86248bd121be2e83768be71ef289e8e5b90 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh +Date: Tue, 31 Mar 2020 20:18:21 +0900 +Subject: [PATCH] ext/socket/init.c: do not return uninitialized buffer + +Resize string buffer only if some data is received in +BasicSocket#read_nonblock and some methods. + +Co-Authored-By: Samuel Williams +--- + ext/socket/init.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/ext/socket/init.c b/ext/socket/init.c +index 0675194d7442..6d17ecfb4e2f 100644 +--- a/ext/socket/init.c ++++ b/ext/socket/init.c +@@ -121,6 +121,7 @@ rsock_send_blocking(void *data) + struct recvfrom_arg { + int fd, flags; + VALUE str; ++ size_t length; + socklen_t alen; + union_sockaddr buf; + }; +@@ -131,10 +132,11 @@ recvfrom_blocking(void *data) + struct recvfrom_arg *arg = data; + socklen_t len0 = arg->alen; + ssize_t ret; +- ret = recvfrom(arg->fd, RSTRING_PTR(arg->str), RSTRING_LEN(arg->str), ++ ret = recvfrom(arg->fd, RSTRING_PTR(arg->str), arg->length, + arg->flags, &arg->buf.addr, &arg->alen); + if (ret != -1 && len0 < arg->alen) + arg->alen = len0; ++ + return (VALUE)ret; + } + +@@ -152,7 +154,6 @@ rsock_strbuf(VALUE str, long buflen) + } else { + rb_str_modify_expand(str, buflen - len); + } +- rb_str_set_len(str, buflen); + return str; + } + +@@ -188,6 +189,7 @@ rsock_s_recvfrom(VALUE sock, int argc, VALUE *argv, enum sock_recv_type from) + arg.fd = fptr->fd; + arg.alen = (socklen_t)sizeof(arg.buf); + arg.str = str; ++ arg.length = buflen; + + while (rb_io_check_closed(fptr), + rsock_maybe_wait_fd(arg.fd), +@@ -198,9 +200,8 @@ rsock_s_recvfrom(VALUE sock, int argc, VALUE *argv, enum sock_recv_type from) + } + } + +- if (slen != RSTRING_LEN(str)) { +- rb_str_set_len(str, slen); +- } ++ /* Resize the string to the amount of data received */ ++ rb_str_set_len(str, slen); + rb_obj_taint(str); + switch (from) { + case RECV_RECV: +@@ -330,6 +331,7 @@ rsock_read_nonblock(VALUE sock, VALUE length, VALUE buf, VALUE ex) + GetOpenFile(sock, fptr); + + if (len == 0) { ++ rb_str_set_len(str, 0); + return str; + } + +@@ -347,12 +349,9 @@ rsock_read_nonblock(VALUE sock, VALUE length, VALUE buf, VALUE ex) + rb_syserr_fail_path(e, fptr->pathv); + } + } +- if (len != n) { ++ if (n != RSTRING_LEN(str)) { + rb_str_modify(str); + rb_str_set_len(str, n); +- if (str != buf) { +- rb_str_resize(str, n); +- } + } + if (n == 0) { + if (ex == Qfalse) return Qnil; diff --git a/ruby.spec b/ruby.spec index 89dd52d..4cf52a9 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ Name: ruby Version: 2.5.1 -Release: 104 +Release: 105 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: http://ruby-lang.org/ @@ -50,7 +50,7 @@ Patch6007: CVE-2019-16255.patch Patch6008: CVE-2019-19204.patch Patch6009: CVE-2019-19246.patch Patch6010: CVE-2019-16163.patch - +Patch6011: CVE-2020-10933.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -588,6 +588,12 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.* %changelog +* Fri May 15 2020 huanghaitao - 2.5.1-105 +- Type:cves +- ID:CVE-2020-10933 +- SUG:restart +- DESC:fix CVE-2020-10933 + * Mon Feb 03 2020 openEuler Buildteam - 2.5.1-104 - Type:cves - ID:CVE-2019-16163 CVE-2019-19204 CVE-2019-16255 CVE-2019-19246 -- Gitee