New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

evaluate upstream libxslt patches mentioned in USN-3271-1 #1634

Closed
flavorjones opened this Issue Apr 28, 2017 · 4 comments

Comments

Projects
None yet
1 participant
@flavorjones
Copy link
Member

flavorjones commented Apr 28, 2017

This issue is to drive investigation and potential action around a set of upstream libxslt patches that Canonical judged valuable enough to port to their distributions.

USN-3271-1

"libxslt vulnerabilities"

https://www.ubuntu.com/usn/usn-3271-1/

CVE-2017-5029

http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html

priority: medium

The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in
Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux
and 57.0.2987.108 for Android, lacked a check for integer overflow during a
size calculation, which allowed a remote attacker to perform an out of
bounds memory write via a crafted HTML page.

patches:

CVE-2016-1683

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1683.html

priority: medium

numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles namespace nodes, which allows remote attackers to
cause a denial of service (out-of-bounds heap memory access) or possibly
have unspecified other impact via a crafted document.

patches:

CVE-2016-1841

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1841.html

priority: medium

libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS
before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via a
crafted web site.

patches:

CVE-2015-7995

http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7995.html

priority: low

The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check if the parent node is an element, which allows attackers to cause a
denial of service via a crafted XML file, related to a "type confusion"
issue.

patches:

CVE-2016-1684

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1684.html

priority: medium

numbers.c in libxslt before 1.1.29, as used in Google Chrome before
51.0.2704.63, mishandles the i format token for xsl:number data, which
allows remote attackers to cause a denial of service (integer overflow or
resource consumption) or possibly have unspecified other impact via a
crafted document.

patches:

CVE-2016-4738

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

priority: medium

libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
watchOS before 3 allows remote attackers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted web site.

patches:

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Apr 28, 2017

To focus the decision, there are only two patches in this set that were not in libxslt 1.1.29; the patch for CVE-2017-5029 (medium) and for CVE-2016-4738 (medium).

I'd like to port these to Nokogiri and cut v1.7.2 as a security release.

I'll do this in the next few days unless I hear compelling objections here in the next 24 hours.

flavorjones added a commit that referenced this issue May 9, 2017

apply upstream libxslt patches
to address CVE-2017-5029 and CVE-2016-4738.

see #1634 for more information.
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented May 9, 2017

3c8d673 on the v1.7.x branch is green:

image

shipping it now.

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented May 9, 2017

v1.7.2 has been released with these patches.

flavorjones added a commit that referenced this issue May 9, 2017

apply upstream libxslt patches
to address CVE-2017-5029 and CVE-2016-4738.

see #1634 for more information.
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented May 9, 2017

And merged into master. Closing.

@flavorjones flavorjones closed this May 9, 2017

oliverguenther added a commit to opf/openproject that referenced this issue May 10, 2017

infertux added a commit to buckybox/webstore that referenced this issue May 10, 2017

infertux added a commit to buckybox/core that referenced this issue May 10, 2017

dreamfall added a commit to bitzesty/qae that referenced this issue May 15, 2017

amatriain added a commit to amatriain/feedbunch that referenced this issue May 15, 2017

Updated nokogiri 1.7.1 -> 1.7.2
This fixes a vulnerability, for more details see:

sparklemotion/nokogiri#1634

jsugarman added a commit to ministryofjustice/peoplefinder that referenced this issue May 17, 2017

@md5 md5 referenced this issue May 20, 2017

Merged

Update gems #423

andrecedik added a commit to shipcloud/shipcloud.github.io that referenced this issue May 22, 2017

update html-proofer gem
This fixes a [security issue with nokogiri v1.7.1](sparklemotion/nokogiri#1634)

jsonn pushed a commit to jsonn/pkgsrc that referenced this issue Jun 5, 2017

taca
Update ruby-nokogiri to 1.8.0.
# 1.8.0 / 2017-06-04

## Backwards incompatibilities

This release ends support for Ruby 2.1 on Windows in the `x86-mingw32` and `x64-mingw32` platform gems (containing pre-compiled DLLs). Official support ended for Ruby 2.1 on 2017-04-01.

Please note that this deprecation note only applies to the precompiled Windows gems. Ruby 2.1 continues to be supported (for now) in the default gem when compiled on installation.


## Dependencies

* [Windows] Upgrade iconv from 1.14 to 1.15 (unless --use-system-libraries)
* [Windows] Upgrade zlib from 1.2.8 to 1.2.11 (unless --use-system-libraries)
* [MRI] Upgrade rake-compiler dependency from 0.9.2 to 1.0.3
* [MRI] Upgrade mini-portile2 dependency from `~> 2.1.0` to `~> 2.2.0`


## Compatibility notes

* [JRuby] Removed support for `jruby --1.8` code paths. [#1607] (Thanks, @kares!)
* [MRI Windows] Retrieve zlib source from http://zlib.net/fossils to avoid deprecation issues going forward. See #1632 for details around this problem.


## Features

* NodeSet#clone is not an alias for NodeSet#dup [#1503] (Thanks, @stephankaag!)
* Allow Processing Instructions and Comments as children of a document root. [#1033] (Thanks, @windwiny!)
* [MRI] PushParser#replace_entities and #replace_entities= will control whether entities are replaced or not. [#1017] (Thanks, @spraints!)
* [MRI] SyntaxError#to_s now includes line number, column number, and log level if made available by the parser. [#1304, #1637] (Thanks, @spk and @ccarruitero!)
* [MRI] Cross-built Windows gems now support Ruby 2.4
* [MRI] Support for frozen string literals. [#1413]
* [MRI] Support for installing Nokogiri on a machine in FIPS-enabled mode [#1544]
* [MRI] Vendored libraries are verified with SHA-256 hashes (formerly some MD5 hashes were used) [#1544]
* [JRuby] (performance) remove unnecessary synchronization of class-cache [#1563] (Thanks, @kares!)
* [JRuby] (performance) remove unnecessary cloning of objects in XPath searches [#1563] (Thanks, @kares!)
* [JRuby] (performance) more performance improvements, particularly in XPath, Reader, XmlNode, and XmlNodeSet [#1597] (Thanks, @kares!)


## Bugs

* HTML::SAX::Parser#parse_io now correctly parses HTML and not XML [#1577] (Thanks for the test case, @gregors!)
* Support installation on systems with a `lib64` site config. [#1562]
* [MRI] on OpenBSD, do not require gcc if using system libraries [#1515] (Thanks, @jeremyevans!)
* [MRI] XML::Attr.new checks type of Document arg to prevent segfaults. [#1477]
* [MRI] Prefer xmlCharStrdup (and friends) to strdup (and friends), which can cause problems on some platforms. [#1517] (Thanks, @jeremy!)
* [JRuby] correctly append a text node before another text node [#1318] (Thanks, @jkraemer!)
* [JRuby] custom xpath functions returning an integer now work correctly [#1595] (Thanks, @kares!)
* [JRuby] serializing (`#to_html`, `#to_s`, et al) a document with explicit encoding now works correctly. [#1281, #1440] (Thanks, @kares!)
* [JRuby] XML::Reader now returns parse errors [#1586] (Thanks, @kares!)
* [JRuby] Empty NodeSets are now decorated properly. [#1319] (Thanks, @kares!)
* [JRuby] Merged nodes no longer results in Java exceptions during XPath queries. [#1320] (Thanks, @kares!)


# 1.7.2 / 2017-05-09

## Security Notes

[MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738.

For more information:

* sparklemotion/nokogiri#1634
* http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

zammad-sync pushed a commit to zammad/zammad that referenced this issue Jun 12, 2017

zammad-sync pushed a commit to zammad/zammad that referenced this issue Jun 13, 2017

zammad-sync pushed a commit to zammad/zammad that referenced this issue Jun 13, 2017

florrain added a commit to dandemeyere/responsys-api that referenced this issue Jun 19, 2017

Update nokogiri 1.8.0 (#46)
* Update Nokogiri to v1.8.0

Addresses security vulnerability:
- [nokogiri issue 1615](sparklemotion/nokogiri#1615)
- [nokogiri issue 1634](sparklemotion/nokogiri#1634)

tmtmtmtm added a commit to everypolitician/viewer-sinatra that referenced this issue Jul 6, 2017

Update nokogiri
The currently installed version has a security advisory:

```
Updated ruby-advisory-db
ruby-advisory-db: 287 advisories
Name: nokogiri
Version: 1.7.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2
```

AdrianCann added a commit to sophomoric/secret that referenced this issue Jul 22, 2017

Update rails and its dependencies
* Travis is failing because ruby-advisory-db warning say nokogiri is out
of date and has vulnerabilities.

sparklemotion/nokogiri#1615
sparklemotion/nokogiri#1634
sparklemotion/nokogiri#1473

* Also updated capybara-webkit which uses nokogiri

semipermeable pushed a commit to solanolabs/nokogiri that referenced this issue Aug 30, 2017

apply upstream libxslt patches
to address CVE-2017-5029 and CVE-2016-4738.

see sparklemotion#1634 for more information.

Conflicts:
	CHANGELOG.rdoc

AdrianCann added a commit to sophomoric/maddie that referenced this issue Oct 1, 2017

Update nokogiri based on ruby advisory
* Maybe I should write a script to automatically update nokogiri :)

ruby-advisory-db: 288 advisories
Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and
libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt
1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.7.0.1
Advisory: CVE-2017-9050
Criticality: Unknown
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE
vulnerabilities
Solution: upgrade to >= 1.8.1

michael-harrison added a commit to michael-harrison/exlibris-primo that referenced this issue Dec 6, 2017

pcai added a commit to savonrb/savon that referenced this issue Dec 7, 2017

havenwood pushed a commit to havenwood/connect-api-examples that referenced this issue Dec 7, 2017

Shannon Skipper
Bump Rails and Nokogiri versions to address CVEs
Name: actionview
Version: 4.2.6
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Title: Possible XSS Vulnerability in Action View
Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

Name: activerecord
Version: 4.2.6
Advisory: CVE-2016-6317
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
Title: Unsafe Query Generation Risk in Active Record
Solution: upgrade to >= 4.2.7.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2017-9050
URL: sparklemotion/nokogiri#1673
Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Solution: upgrade to >= 1.8.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2016-4658
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2015-8806
URL: sparklemotion/nokogiri#1473
Title: Denial of service or RCE from libxml2 and libxslt
Solution: upgrade to >= 1.6.8

Name: nokogiri
Version: 1.6.7.2
Advisory: CVE-2017-5029
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

juchem added a commit to airbnb/synapse that referenced this issue Apr 23, 2018

Upgrading `nokogiri` gem due to security vulnerability
Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

```
$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!
```

juchem added a commit to airbnb/synapse that referenced this issue Apr 23, 2018

Upgrading `nokogiri` gem due to security vulnerability
Note that this upgrade changes minimum required ruby version from
1.9.3-p551 to 2.1.8.

```
$ bundle audit check
Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2016-4658
Criticality: Unknown
URL: sparklemotion/nokogiri#1615
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to >= 1.7.1

Name: nokogiri
Version: 1.6.8.1
Advisory: CVE-2017-5029
Criticality: Unknown
URL: sparklemotion/nokogiri#1634
Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Solution: upgrade to >= 1.7.2

Vulnerabilities found!
```

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment