Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Ubuntu libxslt patches in USN-3947-1 and USN-3947-2 #1892

Closed
flavorjones opened this issue Apr 16, 2019 · 7 comments
Closed

Investigate Ubuntu libxslt patches in USN-3947-1 and USN-3947-2 #1892

flavorjones opened this issue Apr 16, 2019 · 7 comments

Comments

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Apr 16, 2019

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:


Summary (updated 2019-04-22):

The patch addressing this vulnerability is not yet available in an upstream libxslt release, and so Your Humble Maintainer has cut v1.10.3 of Nokogiri that includes this patch in the vendored library.


Interpretation:

To the best of my (@flavorjones) understanding of the vulnerability, an application should not be vulnerable unless it is doing both of the following things:

  1. explicitly performing XSLT transformations using methods and classes in the Nokogiri::XSLT module
  2. and doing so using untrusted stylesheets or untrusted documents

If your code is not doing both of those things, then I believe you can treat this as a lower priority.


History of editing this issue:

  • 2019-04-15: issue created
  • 2019-04-22: updated with USN/CVE background and note indicating Nokogiri v1.10.3 has been released
  • 2019-04-23: added link to NVD entry, and replaced Debian's reported severity with the one in NVD (which Debian points to).
  • 2019-04-23: added an interpretation to help guide individual teams' priorities.
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Apr 22, 2019

USNs

https://usn.ubuntu.com/3947-1/ which addresses CVE-2019-11068

https://usn.ubuntu.com/3947-2/ which also addresses CVE-2019-11068

CVEs

CVE-2019-11068

Permalinks

Severity

  • Canonical rates this as "Priority: Medium".
  • NVD indicates that this is a CVSS v3.0 severity "9.8: Critical".

Description

libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.

Upstream

The Debian bug report indicates this as the upstream commit addressing the vulnerability:

https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6

Looking at upstream source for libxslt:

$ git tag --contains e035536

... we see this commit is not yet in a libxslt release.

flavorjones added a commit that referenced this issue Apr 22, 2019
related to USN-3947-1 and USN-3947-2.

addresses #1892
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Apr 22, 2019

Backported patch is in a PR at #1898

@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Apr 22, 2019

TODO for releasing v1.10.3:

@flavorjones flavorjones added this to the v1.10.x patch releases milestone Apr 22, 2019
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Apr 22, 2019

Email to Tidelift support versions being out of sync. Will handle once that's synced.

hpjaj added a commit to department-of-veterans-affairs/vets-api that referenced this issue Apr 22, 2019
Stems from:

A CVE for Nokogiri and all vets-api builds will fail until we upgrade nokogiri:

sparklemotion/nokogiri#1892
@hpjaj hpjaj mentioned this issue Apr 22, 2019
7 of 7 tasks complete
@nporteschaikin

This comment has been minimized.

Copy link

@nporteschaikin nporteschaikin commented Apr 22, 2019

@flavorjones Hi! 👋 Are you also going to backport this fix to the minor version 1.9?

hpjaj added a commit to department-of-veterans-affairs/vets-api that referenced this issue Apr 22, 2019
* Resolves gem vulnerability issues

Stems from:

A CVE for Nokogiri and all vets-api builds will fail until we upgrade nokogiri:

sparklemotion/nokogiri#1892
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Apr 22, 2019

@nporteschaikin No, was not intending to backport to v1.9.x.

va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Apr 22, 2019
CircleCI reported security vulnerability for version 1.8.5. Upgrades Nokogiri to version 1.10.3

```
Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Vulnerabilities found!

Failed. Security vulnerabilities were found. Find the dependency in Gemfile.lock, then specify a safe version of the dependency in the Gemfile (preferred) or snooze the CVE in security.rake for a week.
```
phallstrom added a commit to railslink/railslink that referenced this issue Apr 23, 2019
Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
phallstrom added a commit to railslink/railslink that referenced this issue Apr 23, 2019
Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
@flavorjones

This comment has been minimized.

Copy link
Member Author

@flavorjones flavorjones commented Apr 23, 2019

I've added an "interpretation" note in the description to help people understand whether it's likely (or not) that their code is susceptible to this vulnerability. It says the following:

To the best of my (@flavorjones) understanding of the vulnerability, an application should not be vulnerable unless it is doing both of the following things:

  1. explicitly performing XSLT transformations using methods and classes in the Nokogiri::XSLT module
  2. and doing so using untrusted stylesheets or untrusted documents

If your code is not doing both of those things, then I believe you can treat this as a lower priority.

david-a-wheeler added a commit to coreinfrastructure/best-practices-badge that referenced this issue Apr 24, 2019
Update nokogi gem per CVE-2019-11068,
URL: sparklemotion/nokogiri#1892
"Nokogiri gem, via libxslt, is affected by
improper access control vulnerability".

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
dannyvanderheiden added a commit to digidentity/libsaml that referenced this issue Apr 26, 2019
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
Kagemaru added a commit to puzzle/puzzletime that referenced this issue Apr 30, 2019
Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
Kagemaru added a commit to puzzle/puzzletime that referenced this issue Apr 30, 2019
Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
rokumatsumoto added a commit to rokumatsumoto/boyutluseyler that referenced this issue May 1, 2019
Name: nokogiri
Version: 1.10.2
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
dentarg added a commit to twingly/feedbag.herokuapp.com that referenced this issue May 2, 2019
From https://travis-ci.com/twingly/audit/jobs/197170353

Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
dentarg added a commit to twingly/feedjira.herokuapp.com that referenced this issue May 2, 2019
From https://travis-ci.com/twingly/audit/jobs/197170353

Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
azul added a commit to riseuplabs/crabgrass-core that referenced this issue Jun 2, 2019
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Kagemaru added a commit to puzzle/puzzletime that referenced this issue Jun 3, 2019
Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jun 22, 2019
Upstream changelog (from CHANGELOG.md):

## 1.10.3 / 2019-04-22

### Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](sparklemotion/nokogiri#1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.


## 1.10.2 / 2019-03-24

### Security

* [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
* [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]


### Bug fixes

* [JRuby] Fix node ownership in duplicated documents. [#1060]
* [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)
alexdean added a commit to alexdean/focus_group that referenced this issue Jun 25, 2019
$ bundle exec bundle-audit check

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6

Name: railties
Version: 5.2.1
Advisory: CVE-2019-5420
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
Title: Possible Remote Code Execution Exploit in Rails Development Mode
Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Vulnerabilities found!
notalex added a commit to blackducksoftware/ohloh-ui that referenced this issue Aug 19, 2019
sparklemotion/nokogiri#1892

We had to downgrade bundler as rails 4.2 depends on bundler <2
Koronen added a commit to Koronen/koronen.github.io that referenced this issue Aug 20, 2019
Bump gems
Address two `nokogiri` CVEs (as reported by `bundler-audit`).

    Name: nokogiri
    Version: 1.10.1
    Advisory: CVE-2019-5477
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1915
    Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
    Solution: upgrade to >= 1.10.4

    Name: nokogiri
    Version: 1.10.1
    Advisory: CVE-2019-11068
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1892
    Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
    Solution: upgrade to >= 1.10.3
schleuderrr pushed a commit to schleuder/schleuder-web that referenced this issue Jan 4, 2020
This also includes an upgrade of the nokogiri version to fix the
following vulnerability:

Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.