New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Ubuntu libxml2 patches in USN-3504-1, USN-3504-2, USN-3513-1, USN-3513-2 #1714

Closed
flavorjones opened this Issue Jan 29, 2018 · 3 comments

Comments

Projects
None yet
1 participant
@flavorjones
Copy link
Member

flavorjones commented Jan 29, 2018

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.


Summary of findings

Upgrading Nokogiri to distribute libxml v2.9.6 or later is necessary to address one of the upstream libxml2 vulnerabilities, which is categorized "Priority: Medium" by Canonical.

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Jan 29, 2018

USNs

USN-3504-1 and -2

The canonical Canonical links:

Both of these USNs address CVE-2017-16932:

USN-3513-1 and -2

The canonical Canonical links:

Both of these USNs address CVE-2017-15412:

CVEs

CVE-2017-15412

Description: "use after-free in xmlXPathCompOpEvalPositionPredicate"

Canonical rates this CVE as "Priority: Medium"

According to the CVE report, the patch that addresses this CVE is:

Looking at libxml2 source ...

$ git tag --contains 0f3b843b3534784
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8-rc1

... we see this was fixed in libxml v2.9.6.

CVE-2017-16932

Description: "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."

Canonical rates this CVE as "Priority: Medium"

According to to CVE report, the patch that addresses this CVE is:

Looking at libxml2 source ...

$ git tag --contains 899a5d9f0ed13b8e32449a08a361e0de127dd961
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8-rc1

... we see this was fixed in libxml v2.9.5

@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Jan 29, 2018

Conclusions

CVE-2017-15412

CVE-2017-15412 was addressed in libxml v2.9.6, which Nokogiri's latest release (v1.8.1) has not yet vendored. Upgrading Nokogiri to distribute libxml v2.9.6 or later is necessary to address this vulnerability.

Note that libxml v2.9.7 has been on Nokogiri master since commit 1756096 timestamped 2017-11-13, so this change is ready to go in the next release.

CVE-2017-16932

CVE-2017-16932 was addressed in libxml 2.9.5, and so Nokogiri v1.8.1 (released 2017-09-19) has already addressed this vulnerability. No action necessary.

@flavorjones flavorjones added this to the 1.8.2 milestone Jan 29, 2018

flavorjones added a commit that referenced this issue Jan 29, 2018

update CHANGELOG
[related to #1714]
[skip ci]
@flavorjones

This comment has been minimized.

Copy link
Member

flavorjones commented Jan 29, 2018

Shipping 1.8.2 with libxml 2.9.7 will address this.

danbernier added a commit to tedconf/crushinator_helpers that referenced this issue Feb 6, 2018

bundle update nokogiri for CVE
Advisory: CVE-2017-15412
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

henare added a commit to everypolitician/legislative-explorer that referenced this issue Feb 7, 2018

Update nokogiri to 1.8.2
In response to security advisory reported by bundler audit:

```
Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Vulnerabilities found!
```

schleuderrr pushed a commit to schleuder/schleuder-web that referenced this issue Feb 10, 2018

Upgrade nokogiri to version 1.8.2
For the previous version a vulnerability was found. Please find the
details here: sparklemotion/nokogiri#1714

schleuderrr pushed a commit to schleuder/schleuder-web that referenced this issue Feb 10, 2018

Upgrade nokogiri to version 1.8.2
For the previous version a vulnerability was found. Please find the
details here: sparklemotion/nokogiri#1714

dentarg added a commit to dentarg/skuld that referenced this issue Feb 11, 2018

hirocaster added a commit to hirocaster/fastladder that referenced this issue Mar 2, 2018

Update nokogiri gem to 1.8.2
libxml2 incorrectly handles certain files. An attacker can use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

Affected versions: Prior to 1.8.2
Fixed versions: 1.8.2
Identifier: CVE-2017-15412
Solution: Upgrade to latest version.
Sources: sparklemotion/nokogiri#1714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412

Koronen added a commit to swanson/stringer that referenced this issue Mar 20, 2018

Bump nokogiri to address CVE-2017-15412
As reported by `bundler-audit`:

> Name: nokogiri
> Version: 1.8.1
> Advisory: CVE-2017-15412
> Criticality: Unknown
> URL: sparklemotion/nokogiri#1714
> Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
> Solution: upgrade to >= 1.8.2

grepsedawk added a commit to grepsedawk/celebrity-picture-rater that referenced this issue Apr 6, 2018

Update vulnerable gems to the latest version
bundle-audit output:
--------------------
Updating ruby-advisory-db ...
Updated ruby-advisory-db
ruby-advisory-db: 304 advisories
Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Vulnerabilities found!

grepsedawk added a commit to grepsedawk/celebrity-picture-rater that referenced this issue Apr 6, 2018

AUTO: Update vulnerable gems to the latest version
bundle-audit output:
--------------------
Updating ruby-advisory-db ...
Updated ruby-advisory-db
ruby-advisory-db: 304 advisories
Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Vulnerabilities found!

grepsedawk added a commit to grepsedawk/celebrity-picture-rater that referenced this issue Apr 6, 2018

AUTO: Update vulnerable gems to the latest version
bundle-audit output:
--------------------
Updating ruby-advisory-db ...
Updated ruby-advisory-db
ruby-advisory-db: 304 advisories
Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Vulnerabilities found!

geemus added a commit to geemus/stringer that referenced this issue Apr 27, 2018

Bump nokogiri to address CVE-2017-15412
As reported by `bundler-audit`:

> Name: nokogiri
> Version: 1.8.1
> Advisory: CVE-2017-15412
> Criticality: Unknown
> URL: sparklemotion/nokogiri#1714
> Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
> Solution: upgrade to >= 1.8.2

whoisjake added a commit to DevelopStuff/stringer that referenced this issue Jun 6, 2018

Bump nokogiri to address CVE-2017-15412
As reported by `bundler-audit`:

> Name: nokogiri
> Version: 1.8.1
> Advisory: CVE-2017-15412
> Criticality: Unknown
> URL: sparklemotion/nokogiri#1714
> Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
> Solution: upgrade to >= 1.8.2

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

dominicsayers added a commit to dominicsayers/url_canonicalize that referenced this issue Jun 30, 2018

Ensure secure Nokogiri version
Earlier versions of Nokogiri have security issues as follows:

[CVE-2016-4658](sparklemotion/nokogiri#1615)
[CVE-2017-5029](sparklemotion/nokogiri#1634)
[CVE-2017-9050](sparklemotion/nokogiri#1673)
[CVE-2017-16932](sparklemotion/nokogiri#1714)
[CVE-2017-15412](sparklemotion/nokogiri#1714)

stevecrozz added a commit to stevecrozz/nokogiri that referenced this issue Oct 5, 2018

update CHANGELOG
[related to sparklemotion#1714]
[skip ci]

gabebw added a commit to gabebw/hotline-webring that referenced this issue Dec 12, 2018

Update vulnerable gems
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

gabebw added a commit to gabebw/hotline-webring that referenced this issue Dec 12, 2018

Update vulnerable gems
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

kares referenced this issue Jan 15, 2019

JRuby gem spec no longer needs to include 1.9
because we're officially removing support for JRuby 1.7

Part of #1741

[skip ci]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment