PublicDateAtUSN: 2020-05-04 15:15:00 UTC
Candidate: CVE-2020-10933
PublicDate: 2020-05-04 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933
 https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
 https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90
 https://ubuntu.com/security/notices/USN-4882-1
Description:
 An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5,
 and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size,
 buffer, exception: false), the method resizes the buffer to fit the
 requested size, but no data is copied. Thus, the buffer string provides the
 previous value of the heap. This may expose possibly sensitive data from
 the interpreter.
Ubuntu-Description:
Notes:
 leosilva> vulnerable code introduced in 2.5.0
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]

Patches_ruby1.9.1:
upstream_ruby1.9.1: needs-triage
precise/esm_ruby1.9.1: DNE
trusty_ruby1.9.1: ignored (out of standard support)
trusty/esm_ruby1.9.1: DNE
xenial_ruby1.9.1: DNE
bionic_ruby1.9.1: DNE
eoan_ruby1.9.1: DNE
focal_ruby1.9.1: DNE
groovy_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise/esm_ruby2.0: DNE
trusty_ruby2.0: ignored (out of standard support)
trusty/esm_ruby2.0: DNE
xenial_ruby2.0: DNE
bionic_ruby2.0: DNE
eoan_ruby2.0: DNE
focal_ruby2.0: DNE
groovy_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
xenial_ruby2.3: not-affected (code not present)
esm-infra/xenial_ruby2.3: not-affected (code not present)
bionic_ruby2.3: DNE
eoan_ruby2.3: DNE
focal_ruby2.3: DNE
groovy_ruby2.3: DNE
devel_ruby2.3: DNE

Patches_ruby2.5:
upstream_ruby2.5: needs-triage
precise/esm_ruby2.5: DNE
trusty_ruby2.5: DNE
trusty/esm_ruby2.5: DNE
xenial_ruby2.5: DNE
bionic_ruby2.5: released (2.5.1-1ubuntu1.8)
eoan_ruby2.5: ignored (reached end-of-life)
focal_ruby2.5: DNE
groovy_ruby2.5: DNE
devel_ruby2.5: DNE

Patches_ruby2.7:
 upstream: https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90 (master)
 upstream: https://github.com/ruby/ruby/commit/f832d957b837d5167058a3f8579d66e5b5d3472e (2.7)
upstream_ruby2.7: released (2.7.1-1)
precise/esm_ruby2.7: DNE
trusty_ruby2.7: DNE
trusty/esm_ruby2.7: DNE
xenial_ruby2.7: DNE
bionic_ruby2.7: DNE
eoan_ruby2.7: DNE
focal_ruby2.7: released (2.7.0-5ubuntu1.3)
groovy_ruby2.7: not-affected (2.7.1-3ubuntu1.1)
devel_ruby2.7: not-affected (2.7.2-4)