RFC: applying patches from USN-3235-1 #1615

flavorjones · 2017-03-17T01:26:09Z

Canonical updated Ubuntu's libxml2 package today with some patches that have been applied upstream but are not yet in an official libxml release.

I think we should we apply these patches to nokogiri's vendored libxml2, but I'd like to provide a period for informed observers to comment.

If you feel strongly it's unnecesssary to apply these patches to nokogiri's vendored libxml2, please comment on this issue in the next 24 hours.

Update as of 2017-03-19 23:33:15-04:00:

v1.7.1 has been released with these patches applied.

USN-3235-1: libxml2 vulnerabilities

Dated 2017-03-16, this security update patches the following CVEs (for which I've linked to the upstream commits) ...

CVE-2016-4448

This is already patched in libxml 2.9.4, which is vendored as of Nokogiri 1.6.8 (released 2016-06-06), and so is not relevant to this discussion.

CVE-2016-4658

Priority: Medium

Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

Patch: Disallow namespace nodes in XPointer ranges

The CVE description makes it sound like an exploit is only possible on Apple-y things; but the patch's commit message indicates the fix is addressing use-after-free bugs found via fuzz testing, and so I think we should assume the bug is valid on other architectures and patch this.

CVE-2016-5131

Priority: Medium

Description: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

Patches:

Again, the CVE description makes it sound like an exploit might only be possble in Chrome, but here again the commit message tells us that this is another use-after-free bug found via fuzz testing. I think we should assume the bug is generally valid and patch this.

The text was updated successfully, but these errors were encountered:

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones · 2017-03-17T03:34:31Z

Temporary test pipeline is up at https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri?groups=USN-3235-1

Note that the patch for CVE-2016-4658 breaks a test: https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri/jobs/USN-3235-1/builds/1

  1) Failure:
Nokogiri::XML::TestNode#test_document_compare [/tmp/build/4d9a0f57/nokogiri/test/xml/test_node.rb:334]:
Expected: -1
  Actual: 1

which is ... unexpected. Looking into it.

GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones · 2017-03-17T04:47:06Z

Failure isn't meaningful, skipping it. See 4574bae.

GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones · 2017-03-17T04:59:55Z

Ready to cut 1.7.1, will wait until tomorrow, though.

https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri/jobs/1.7.1-rc/builds/2

flavorjones · 2017-03-17T05:00:27Z

flavorjones · 2017-03-18T15:53:02Z

OK, shipping it.

flavorjones · 2017-03-20T02:17:08Z

Delayed slightly by the fact that zlib 1.2.8 is no longer downloadable (which is used for windows devkit builds); need to upgrade to zlib 1.2.11.

GNOME/libxml2@a005199 alters the return value in this edge case. See #1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones · 2017-03-20T03:48:57Z

Shipped v1.7.1, here's the build status for posterity:

# 1.7.1 / unreleased ## Security Notes [MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131. For more information: * sparklemotion/nokogiri#1615 * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4658.html * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5131.html ## Dependencies * [Windows] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries)

1.7.1 has a fix for this vulnerability: sparklemotion/nokogiri#1615

Allows users to upgrade Nokogiri to 1.7.x to protect themselves from CVE-2016-4658: sparklemotion/nokogiri#1615

Nokogiri 1.7.1 was released to address security issues: sparklemotion/nokogiri#1615

which address CVE-2016-4658 and CVE-2016-5131. see sparklemotion#1615 for more information

…on of Nokogiri (see sparklemotion/nokogiri#1615)

This was a vulnerability: sparklemotion/nokogiri#1615 By updating rails, that updated other dependencies and along with it nokogiri which removed the vulnerability.

* Update Nokogiri to v1.8.0 Addresses security vulnerability: - [nokogiri issue 1615](sparklemotion/nokogiri#1615) - [nokogiri issue 1634](sparklemotion/nokogiri#1634)

* Travis is failing because ruby-advisory-db warning say nokogiri is out of date and has vulnerabilities. sparklemotion/nokogiri#1615 sparklemotion/nokogiri#1634 sparklemotion/nokogiri#1473 * Also updated capybara-webkit which uses nokogiri

(#803)

which address CVE-2016-4658 and CVE-2016-5131. see sparklemotion#1615 for more information

GNOME/libxml2@a005199 alters the return value in this edge case. See sparklemotion#1615 for more background on this libxml2 commit, which was pulled in by Canonical to address CVE-2016-5131, which is mildly mysterious.

* Maybe I should write a script to automatically update nokogiri :) ruby-advisory-db: 288 advisories Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.7.0.1 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1

Reference: sparklemotion/nokogiri#1615

Name: actionview Version: 4.2.6 Advisory: CVE-2016-6316 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk Title: Possible XSS Vulnerability in Action View Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1 Name: activerecord Version: 4.2.6 Advisory: CVE-2016-6317 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s Title: Unsafe Query Generation Risk in Active Record Solution: upgrade to >= 4.2.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-9050 URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2016-4658 URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2015-8806 URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-5029 URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2

Note that this upgrade changes minimum required ruby version from 1.9.3-p551 to 2.1.8. ``` $ bundle audit check Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2016-4658 Criticality: Unknown URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.8.1 Advisory: CVE-2017-5029 Criticality: Unknown URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2 Vulnerabilities found! ```

Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)

Updated 'deface' to update 'nokogiri' dependency gem after vulnerability checks with 'audit': Nokogiri gem contains several vulnerabilities in libxml2 and libxslt. sparklemotion/nokogiri#1615

flavorjones added the topic/security label Mar 17, 2017

flavorjones added a commit that referenced this issue Mar 17, 2017

add patches from USN-3235-1

e6bcf38

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones added a commit that referenced this issue Mar 17, 2017

add patches from USN-3235-1

d30c9f9

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones added a commit that referenced this issue Mar 17, 2017

add patches from USN-3235-1

a945f6d

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones added a commit that referenced this issue Mar 20, 2017

add patches from USN-3235-1

fd3b5c0

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones added a commit that referenced this issue Mar 20, 2017

add patches from USN-3235-1

2cdde53

which address CVE-2016-4658 and CVE-2016-5131. see #1615 for more information

flavorjones closed this as completed Mar 20, 2017

smythey21 mentioned this issue Mar 23, 2017

Upgrade Nokogiri To 1.7.1 recurly/recurly-client-ruby#316

Closed

patbl added a commit to academia-edu/simple-sitemap that referenced this issue Mar 23, 2017

gemspec: Update Nokogiri dependency version

47a38be

1.7.1 has a fix for this vulnerability: sparklemotion/nokogiri#1615

patbl mentioned this issue Mar 23, 2017

gemspec: Update Nokogiri dependency version academia-edu/simple-sitemap#5

Merged

jmgarnier mentioned this issue Mar 23, 2017

new release on 1-0-stable following CVE-2016-5131? rails/rails-dom-testing#63

Closed

thebenedict mentioned this issue Mar 23, 2017

Possible to relax nokogiri dependency? jamesmartin/inline_svg#59

Closed

jamesmartin added a commit to jamesmartin/inline_svg that referenced this issue Mar 23, 2017

Relax Nokogiri dependency.

d3050b5

Allows users to upgrade Nokogiri to 1.7.x to protect themselves from CVE-2016-4658: sparklemotion/nokogiri#1615

thebenedict mentioned this issue Mar 23, 2017

Possible to relax nokogiri version? rails/rails-dom-testing#64

Closed

jamilbk mentioned this issue Mar 23, 2017

Airbrake requires nokogiri 1.6.8.1 which is vulnerable to CVE-2016-4448 and CVE-2016-4658 airbrake/airbrake#701

Closed

AxelTheGerman mentioned this issue Mar 23, 2017

XD-3662 Upgrades nokogiri dependency to ~> 1.7.1 to include fixed CVE acl-services/creek#8

Merged

rymai added a commit to rymai/omniauth-cas3 that referenced this issue Mar 23, 2017

Update nokogiri dependency to ~> 1.7

ce91ae8

Nokogiri 1.7.1 was released to address security issues: sparklemotion/nokogiri#1615

rymai mentioned this issue Mar 23, 2017

Update nokogiri dependency to ~> 1.7 tduehr/omniauth-cas3#2

Merged

sgerrand pushed a commit to sgerrand/nokogiri that referenced this issue May 14, 2017

add patches from USN-3235-1

1aca565

which address CVE-2016-4658 and CVE-2016-5131. see sparklemotion#1615 for more information

michael-harrison pushed a commit to michael-harrison/exlibris-primo that referenced this issue May 17, 2017

Added my variation on Savon to fix security issue caused by old versi…

2eeb6d0

…on of Nokogiri (see sparklemotion/nokogiri#1615)

edwardloveall mentioned this issue Jun 3, 2017

Update gems edwardloveall/portfolio#59

Merged

This was referenced Jun 14, 2017

nokogiri security issues 1615 & 1634 dandemeyere/responsys-api#44

Closed

Update nokogiri to v 1.8.0 dandemeyere/responsys-api#45

Closed

Update nokogiri 1.8.0 dandemeyere/responsys-api#46

Merged

pcai pushed a commit to savonrb/savon that referenced this issue Aug 2, 2017

Update of Nokogiri due to vulnerability. See sparklemotion/nokogiri#1615

6b4e014

(#803)

shopify-services mentioned this issue Aug 21, 2017

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Shopify/ruby-bench-web#7

Closed

semipermeable pushed a commit to solanolabs/nokogiri that referenced this issue Aug 30, 2017

add patches from USN-3235-1

9b1fb92

which address CVE-2016-4658 and CVE-2016-5131. see sparklemotion#1615 for more information

holmesie mentioned this issue Aug 31, 2017

Cql4bonnie 1002 MeasureAuthoringTool/bonnie_bundler#105

Merged

neilbartley mentioned this issue Sep 26, 2017

Update to defend against CVE-2016-4658, CVE-2017-5946 and CVE-2017-9050 ruby-docx/docx#43

Closed

AdrianCann mentioned this issue Oct 1, 2017

Update nokogiri based on ruby advisory sophomoric/maddie#57

Merged

maartenvg pushed a commit to Shopify/active_shipping that referenced this issue Nov 9, 2017

Bump nokogiri version to 1.7.1 due to security vulnerability

e300ca9

Reference: sparklemotion/nokogiri#1615

maartenvg pushed a commit to Shopify/active_shipping that referenced this issue Nov 9, 2017

Bump nokogiri version to 1.7.1 due to security vulnerability

d5b2f91

Reference: sparklemotion/nokogiri#1615

havenwood mentioned this issue Dec 7, 2017

Bump Rails, Nokogiri, and related gem versions to address CVEs square/connect-api-examples#46

Merged

fedegratti mentioned this issue Dec 9, 2017

Update gitgub_api dependency to prevent security problems basecamp/trix#467

Closed

rainerdema mentioned this issue Oct 18, 2018

Update 'deface' dependency version nebulab/solidus_editor#1

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RFC: applying patches from USN-3235-1 #1615

RFC: applying patches from USN-3235-1 #1615

flavorjones commented Mar 17, 2017 •

edited

Loading

flavorjones commented Mar 17, 2017 •

edited

Loading

flavorjones commented Mar 17, 2017

flavorjones commented Mar 17, 2017 •

edited

Loading

flavorjones commented Mar 17, 2017

flavorjones commented Mar 18, 2017

flavorjones commented Mar 20, 2017

flavorjones commented Mar 20, 2017

RFC: applying patches from USN-3235-1 #1615

RFC: applying patches from USN-3235-1 #1615

Comments

flavorjones commented Mar 17, 2017 • edited Loading

USN-3235-1: libxml2 vulnerabilities

CVE-2016-4448

CVE-2016-4658

CVE-2016-5131

flavorjones commented Mar 17, 2017 • edited Loading

flavorjones commented Mar 17, 2017

flavorjones commented Mar 17, 2017 • edited Loading

flavorjones commented Mar 17, 2017

flavorjones commented Mar 18, 2017

flavorjones commented Mar 20, 2017

flavorjones commented Mar 20, 2017

flavorjones commented Mar 17, 2017 •

edited

Loading

flavorjones commented Mar 17, 2017 •

edited

Loading

flavorjones commented Mar 17, 2017 •

edited

Loading