Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Ubuntu libxslt patches in USN-3947-1 and USN-3947-2 #1892

Closed
flavorjones opened this issue Apr 16, 2019 · 7 comments

Comments

Projects
None yet
2 participants
@flavorjones
Copy link
Member

commented Apr 16, 2019

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:


Summary (updated 2019-04-22):

The patch addressing this vulnerability is not yet available in an upstream libxslt release, and so Your Humble Maintainer has cut v1.10.3 of Nokogiri that includes this patch in the vendored library.


Interpretation:

To the best of my (@flavorjones) understanding of the vulnerability, an application should not be vulnerable unless it is doing both of the following things:

  1. explicitly performing XSLT transformations using methods and classes in the Nokogiri::XSLT module
  2. and doing so using untrusted stylesheets or untrusted documents

If your code is not doing both of those things, then I believe you can treat this as a lower priority.


History of editing this issue:

  • 2019-04-15: issue created
  • 2019-04-22: updated with USN/CVE background and note indicating Nokogiri v1.10.3 has been released
  • 2019-04-23: added link to NVD entry, and replaced Debian's reported severity with the one in NVD (which Debian points to).
  • 2019-04-23: added an interpretation to help guide individual teams' priorities.
@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Apr 22, 2019

USNs

https://usn.ubuntu.com/3947-1/ which addresses CVE-2019-11068

https://usn.ubuntu.com/3947-2/ which also addresses CVE-2019-11068

CVEs

CVE-2019-11068

Permalinks

Severity

  • Canonical rates this as "Priority: Medium".
  • NVD indicates that this is a CVSS v3.0 severity "9.8: Critical".

Description

libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.

Upstream

The Debian bug report indicates this as the upstream commit addressing the vulnerability:

https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6

Looking at upstream source for libxslt:

$ git tag --contains e035536

... we see this commit is not yet in a libxslt release.

flavorjones added a commit that referenced this issue Apr 22, 2019

Backport libxslt patch for CVE-2019-11068
related to USN-3947-1 and USN-3947-2.

addresses #1892
@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Apr 22, 2019

Backported patch is in a PR at #1898

@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Apr 22, 2019

TODO for releasing v1.10.3:

@flavorjones flavorjones added this to the v1.10.x patch releases milestone Apr 22, 2019

@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Apr 22, 2019

Email to Tidelift support versions being out of sync. Will handle once that's synced.

hpjaj added a commit to department-of-veterans-affairs/vets-api that referenced this issue Apr 22, 2019

Resolves gem vulnerability issues
Stems from:

A CVE for Nokogiri and all vets-api builds will fail until we upgrade nokogiri:

sparklemotion/nokogiri#1892

@hpjaj hpjaj referenced this issue Apr 22, 2019

Merged

Resolves gem vulnerability issues with Nokogiri #2989

7 of 7 tasks complete
@nporteschaikin

This comment has been minimized.

Copy link

commented Apr 22, 2019

@flavorjones Hi! 👋 Are you also going to backport this fix to the minor version 1.9?

hpjaj added a commit to department-of-veterans-affairs/vets-api that referenced this issue Apr 22, 2019

Resolves gem vulnerability issues with Nokogiri (#2989)
* Resolves gem vulnerability issues

Stems from:

A CVE for Nokogiri and all vets-api builds will fail until we upgrade nokogiri:

sparklemotion/nokogiri#1892
@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Apr 22, 2019

@nporteschaikin No, was not intending to backport to v1.9.x.

va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Apr 22, 2019

Upgrade Nokogiri (#10500)
CircleCI reported security vulnerability for version 1.8.5. Upgrades Nokogiri to version 1.10.3

```
Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Vulnerabilities found!

Failed. Security vulnerabilities were found. Find the dependency in Gemfile.lock, then specify a safe version of the dependency in the Gemfile (preferred) or snooze the CVE in security.rake for a week.
```

phallstrom added a commit to railslink/railslink that referenced this issue Apr 23, 2019

update nokogiri gem due to CVE-2019-11068
Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

phallstrom added a commit to railslink/railslink that referenced this issue Apr 23, 2019

update nokogiri gem due to CVE-2019-11068 (#96)
Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Apr 23, 2019

I've added an "interpretation" note in the description to help people understand whether it's likely (or not) that their code is susceptible to this vulnerability. It says the following:

To the best of my (@flavorjones) understanding of the vulnerability, an application should not be vulnerable unless it is doing both of the following things:

  1. explicitly performing XSLT transformations using methods and classes in the Nokogiri::XSLT module
  2. and doing so using untrusted stylesheets or untrusted documents

If your code is not doing both of those things, then I believe you can treat this as a lower priority.

david-a-wheeler added a commit to coreinfrastructure/best-practices-badge that referenced this issue Apr 24, 2019

Update gem nokogiri (1.10.1->1.10.3)
Update nokogi gem per CVE-2019-11068,
URL: sparklemotion/nokogiri#1892
"Nokogiri gem, via libxslt, is affected by
improper access control vulnerability".

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

dannyvanderheiden added a commit to digidentity/libsaml that referenced this issue Apr 26, 2019

Add support for “nokogiri” gem > 1.8 regarding CVE-2019-11068:
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Kagemaru added a commit to puzzle/puzzletime that referenced this issue Apr 30, 2019

Update Nokogiri to fix vulnerability
Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Kagemaru added a commit to puzzle/puzzletime that referenced this issue Apr 30, 2019

Update Nokogiri to fix vulnerability
Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

rokumatsumoto added a commit to rokumatsumoto/boyutluseyler that referenced this issue May 1, 2019

Update nokogiri gem due to CVE-2019-11068
Name: nokogiri
Version: 1.10.2
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

dentarg added a commit to twingly/feedbag.herokuapp.com that referenced this issue May 2, 2019

Update nokogiri (CVE-2019-11068)
From https://travis-ci.com/twingly/audit/jobs/197170353

Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

dentarg added a commit to twingly/feedjira.herokuapp.com that referenced this issue May 2, 2019

Update nokogiri (CVE-2019-11068)
From https://travis-ci.com/twingly/audit/jobs/197170353

Name: nokogiri
Version: 1.10.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.