New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: applying patches from USN-3235-1 #1615

Closed
flavorjones opened this Issue Mar 17, 2017 · 11 comments

Comments

Projects
None yet
3 participants
@flavorjones
Copy link
Member

flavorjones commented Mar 17, 2017

Canonical updated Ubuntu's libxml2 package today with some patches that have been applied upstream but are not yet in an official libxml release.

I think we should we apply these patches to nokogiri's vendored libxml2, but I'd like to provide a period for informed observers to comment.

If you feel strongly it's unnecesssary to apply these patches to nokogiri's vendored libxml2, please comment on this issue in the next 24 hours.

Update as of 2017-03-19 23:33:15-04:00:

v1.7.1 has been released with these patches applied.

USN-3235-1: libxml2 vulnerabilities

Dated 2017-03-16, this security update patches the following CVEs (for which I've linked to the upstream commits) ...

CVE-2016-4448

This is already patched in libxml 2.9.4, which is vendored as of Nokogiri 1.6.8 (released 2016-06-06), and so is not relevant to this discussion.

CVE-2016-4658

Priority: Medium

Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

Patch: Disallow namespace nodes in XPointer ranges

The CVE description makes it sound like an exploit is only possible on Apple-y things; but the patch's commit message indicates the fix is addressing use-after-free bugs found via fuzz testing, and so I think we should assume the bug is valid on other architectures and patch this.

CVE-2016-5131

Priority: Medium

Description: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

Patches:

Again, the CVE description makes it sound like an exploit might only be possble in Chrome, but here again the commit message tells us that this is another use-after-free bug found via fuzz testing. I think we should assume the bug is generally valid and patch this.

flavorjones added a commit that referenced this issue Mar 17, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see #1615 for more information
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 17, 2017

Temporary test pipeline is up at https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri?groups=USN-3235-1

Note that the patch for CVE-2016-4658 breaks a test: https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri/jobs/USN-3235-1/builds/1

  1) Failure:
Nokogiri::XML::TestNode#test_document_compare [/tmp/build/4d9a0f57/nokogiri/test/xml/test_node.rb:334]:
Expected: -1
  Actual: 1

which is ... unexpected. Looking into it.

flavorjones added a commit that referenced this issue Mar 17, 2017

skip test for which libxml2 behavior is unreliable
GNOME/libxml2@a005199 alters the return value in this edge case.

See #1615 for more background on this libxml2 commit, which was pulled
in by Canonical to address CVE-2016-5131, which is mildly mysterious.

flavorjones added a commit that referenced this issue Mar 17, 2017

skip test for which libxml2 behavior is unreliable
GNOME/libxml2@a005199 alters the return value in this edge case.

See #1615 for more background on this libxml2 commit, which was pulled
in by Canonical to address CVE-2016-5131, which is mildly mysterious.

flavorjones added a commit that referenced this issue Mar 17, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see #1615 for more information
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 17, 2017

Failure isn't meaningful, skipping it. See 4574bae.

flavorjones added a commit that referenced this issue Mar 17, 2017

skip test for which libxml2 behavior is unreliable
GNOME/libxml2@a005199 alters the return value in this edge case.

See #1615 for more background on this libxml2 commit, which was pulled
in by Canonical to address CVE-2016-5131, which is mildly mysterious.

flavorjones added a commit that referenced this issue Mar 17, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see #1615 for more information
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 17, 2017

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 17, 2017

image

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 18, 2017

OK, shipping it.

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 20, 2017

Delayed slightly by the fact that zlib 1.2.8 is no longer downloadable (which is used for windows devkit builds); need to upgrade to zlib 1.2.11.

flavorjones added a commit that referenced this issue Mar 20, 2017

skip test for which libxml2 behavior is unreliable
GNOME/libxml2@a005199 alters the return value in this edge case.

See #1615 for more background on this libxml2 commit, which was pulled
in by Canonical to address CVE-2016-5131, which is mildly mysterious.

flavorjones added a commit that referenced this issue Mar 20, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see #1615 for more information

flavorjones added a commit that referenced this issue Mar 20, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see #1615 for more information
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Mar 20, 2017

Shipped v1.7.1, here's the build status for posterity:

image

jsonn pushed a commit to jsonn/pkgsrc that referenced this issue Mar 20, 2017

taca
Update ruby-nokogiri to 1.7.1.
# 1.7.1 / unreleased

## Security Notes

[MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131.

For more information:

* sparklemotion/nokogiri#1615
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4658.html
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5131.html


## Dependencies

* [Windows] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries)

patbl added a commit to academia-edu/simple-sitemap that referenced this issue Mar 23, 2017

jamesmartin added a commit to jamesmartin/inline_svg that referenced this issue Mar 23, 2017

Relax Nokogiri dependency.
Allows users to upgrade Nokogiri to 1.7.x to protect
themselves from CVE-2016-4658:
sparklemotion/nokogiri#1615

rymai added a commit to rymai/omniauth-cas3 that referenced this issue Mar 23, 2017

Update nokogiri dependency to ~> 1.7
Nokogiri 1.7.1 was released to address security issues:
sparklemotion/nokogiri#1615

sgerrand added a commit to sgerrand/nokogiri that referenced this issue May 14, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see sparklemotion#1615 for more information

michael-harrison added a commit to michael-harrison/exlibris-primo that referenced this issue May 17, 2017

edwardloveall added a commit to edwardloveall/portfolio that referenced this issue Jun 3, 2017

Upgrade rails to fix vulnerability
This was a vulnerability:
sparklemotion/nokogiri#1615

By updating rails, that updated other dependencies and along with it
nokogiri which removed the vulnerability.

@edwardloveall edwardloveall referenced this issue Jun 3, 2017

Merged

Update gems #59

florrain added a commit to dandemeyere/responsys-api that referenced this issue Jun 19, 2017

Update nokogiri 1.8.0 (#46)
* Update Nokogiri to v1.8.0

Addresses security vulnerability:
- [nokogiri issue 1615](sparklemotion/nokogiri#1615)
- [nokogiri issue 1634](sparklemotion/nokogiri#1634)

AdrianCann added a commit to sophomoric/secret that referenced this issue Jul 22, 2017

Update rails and its dependencies
* Travis is failing because ruby-advisory-db warning say nokogiri is out
of date and has vulnerabilities.

sparklemotion/nokogiri#1615
sparklemotion/nokogiri#1634
sparklemotion/nokogiri#1473

* Also updated capybara-webkit which uses nokogiri

pcai added a commit to savonrb/savon that referenced this issue Aug 2, 2017

semipermeable pushed a commit to solanolabs/nokogiri that referenced this issue Aug 30, 2017

add patches from USN-3235-1
which address CVE-2016-4658 and CVE-2016-5131.

see sparklemotion#1615 for more information

semipermeable pushed a commit to solanolabs/nokogiri that referenced this issue Aug 30, 2017

skip test for which libxml2 behavior is unreliable
GNOME/libxml2@a005199 alters the return value in this edge case.

See sparklemotion#1615 for more background on this libxml2 commit, which was pulled
in by Canonical to address CVE-2016-5131, which is mildly mysterious.

AdrianCann added a commit to sophomoric/maddie that referenced this issue Oct 1, 2017

Update nokogiri based on ruby advisory
* Maybe I should write a script to automatically update nokogiri :)

ruby-advisory-db: 288 advisories
Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and
libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt
1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-9050
Criticality: Unknown
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE
vulnerabilities
Solution: upgrade to >= 1.8.1

maartenvg added a commit to Shopify/active_shipping that referenced this issue Nov 9, 2017

maartenvg added a commit to Shopify/active_shipping that referenced this issue Nov 9, 2017

havenwood pushed a commit to havenwood/connect-api-examples that referenced this issue Dec 7, 2017

Shannon Skipper
Bump Rails and Nokogiri versions to address CVEs
Name: actionview
Version: 4.2.6
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Title: Possible XSS Vulnerability in Action View
Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

Name: activerecord
Version: 4.2.6
Advisory: CVE-2016-6317
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
Title: Unsafe Query Generation Risk in Active Record
Solution: upgrade to >= 4.2.7.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2017-9050
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Solution: upgrade to >= 1.8.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2016-4658
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2015-8806
URL: sparklemotion/nokogiri#1473
Title: Denial of service or RCE from libxml2 and libxslt
Solution: upgrade to >= 1.6.8

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2017-5029
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

juchem added a commit to airbnb/synapse that referenced this issue Apr 23, 2018

Upgrading `nokogiri` gem due to security vulnerability
Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

```
$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!
```

juchem added a commit to airbnb/synapse that referenced this issue Apr 23, 2018

Upgrading `nokogiri` gem due to security vulnerability
Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

```
$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!
```

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

rainerdema added a commit to nebulab/solidus_editor that referenced this issue Oct 18, 2018

Update 'deface' dependency version
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability 
checks with 'audit':
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt.

sparklemotion/nokogiri#1615

rainerdema added a commit to nebulab/solidus_editor that referenced this issue Oct 18, 2018

Update 'deface' dependency version
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability
checks with 'audit':
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt.

sparklemotion/nokogiri#1615
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment