Fix CVE-2020-10933

CVE-2020-10933.patch

@@ -0,0 +1,88 @@
+From 61b7f86248bd121be2e83768be71ef289e8e5b90 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 31 Mar 2020 20:18:21 +0900
+Subject: [PATCH] ext/socket/init.c: do not return uninitialized buffer
+
+Resize string buffer only if some data is received in
+BasicSocket#read_nonblock and some methods.
+
+Co-Authored-By: Samuel Williams <samuel.williams@oriontransfer.co.nz>
+---
+ ext/socket/init.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/ext/socket/init.c b/ext/socket/init.c
+index 0675194d7442..6d17ecfb4e2f 100644
+--- a/ext/socket/init.c
++++ b/ext/socket/init.c
+@@ -121,6 +121,7 @@ rsock_send_blocking(void *data)
+ struct recvfrom_arg {
+     int fd, flags;
+     VALUE str;
++    size_t length;
+     socklen_t alen;
+     union_sockaddr buf;
+ };
+@@ -131,10 +132,11 @@ recvfrom_blocking(void *data)
+     struct recvfrom_arg *arg = data;
+     socklen_t len0 = arg->alen;
+     ssize_t ret;
+-    ret = recvfrom(arg->fd, RSTRING_PTR(arg->str), RSTRING_LEN(arg->str),
++    ret = recvfrom(arg->fd, RSTRING_PTR(arg->str), arg->length,
+                    arg->flags, &arg->buf.addr, &arg->alen);
+     if (ret != -1 && len0 < arg->alen)
+         arg->alen = len0;
++
+     return (VALUE)ret;
+ }
+ 
+@@ -152,7 +154,6 @@ rsock_strbuf(VALUE str, long buflen)
+     } else {
+ 	rb_str_modify_expand(str, buflen - len);
+     }
+-    rb_str_set_len(str, buflen);
+     return str;
+ }
+ 
+@@ -188,6 +189,7 @@ rsock_s_recvfrom(VALUE sock, int argc, VALUE *argv, enum sock_recv_type from)
+     arg.fd = fptr->fd;
+     arg.alen = (socklen_t)sizeof(arg.buf);
+     arg.str = str;
++    arg.length = buflen;
+ 
+     while (rb_io_check_closed(fptr),
+ 	   rsock_maybe_wait_fd(arg.fd),
+@@ -198,9 +200,8 @@ rsock_s_recvfrom(VALUE sock, int argc, VALUE *argv, enum sock_recv_type from)
+         }
+     }
+ 
+-    if (slen != RSTRING_LEN(str)) {
+-	rb_str_set_len(str, slen);
+-    }
++    /* Resize the string to the amount of data received */
++    rb_str_set_len(str, slen);
+     rb_obj_taint(str);
+     switch (from) {
+       case RECV_RECV:
+@@ -330,6 +331,7 @@ rsock_read_nonblock(VALUE sock, VALUE length, VALUE buf, VALUE ex)
+     GetOpenFile(sock, fptr);
+ 
+     if (len == 0) {
++	rb_str_set_len(str, 0);
+ 	return str;
+     }
+ 
+@@ -347,12 +349,9 @@ rsock_read_nonblock(VALUE sock, VALUE length, VALUE buf, VALUE ex)
+ 	    rb_syserr_fail_path(e, fptr->pathv);
+ 	}
+     }
+-    if (len != n) {
++    if (n != RSTRING_LEN(str)) {
+ 	rb_str_modify(str);
+ 	rb_str_set_len(str, n);
+-	if (str != buf) {
+-	    rb_str_resize(str, n);
+-	}
+     }
+     if (n == 0) {
+ 	if (ex == Qfalse) return Qnil;

ruby.spec

@@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.1
-Release:   104
+Release:   105
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       http://ruby-lang.org/
@@ -50,7 +50,7 @@ Patch6007: CVE-2019-16255.patch
 Patch6008: CVE-2019-19204.patch
 Patch6009: CVE-2019-19246.patch
 Patch6010: CVE-2019-16163.patch
-
+Patch6011: CVE-2020-10933.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -588,6 +588,12 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 
 %changelog
+* Thu May 07 2020 huanghaitao <huanghaitao@huawei.com> - 2.5.1-105
+- Type:cves
+- ID:CVE-2020-10933
+- SUG:restart
+- DESC:fix CVE-2020-10933
+
 * Mon Feb 03 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.5.1-104
 - Type:cves
 - ID:CVE-2019-16163 CVE-2019-19204 CVE-2019-16255 CVE-2019-19246