Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
RFC: applying patches from USN-3235-1 #1615
Canonical updated Ubuntu's
I think we should we apply these patches to nokogiri's vendored libxml2, but I'd like to provide a period for informed observers to comment.
If you feel strongly it's unnecesssary to apply these patches to nokogiri's vendored libxml2, please comment on this issue in the next 24 hours.
Dated 2017-03-16, this security update patches the following CVEs (for which I've linked to the upstream commits) ...
This is already patched in libxml 2.9.4, which is vendored as of Nokogiri 1.6.8 (released 2016-06-06), and so is not relevant to this discussion.
Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
The CVE description makes it sound like an exploit is only possible on Apple-y things; but the patch's commit message indicates the fix is addressing use-after-free bugs found via fuzz testing, and so I think we should assume the bug is valid on other architectures and patch this.
Description: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
Again, the CVE description makes it sound like an exploit might only be possble in Chrome, but here again the commit message tells us that this is another use-after-free bug found via fuzz testing. I think we should assume the bug is generally valid and patch this.
Temporary test pipeline is up at https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri?groups=USN-3235-1
Note that the patch for CVE-2016-4658 breaks a test: https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri/jobs/USN-3235-1/builds/1
which is ... unexpected. Looking into it.
Ready to cut 1.7.1, will wait until tomorrow, though.