Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-5477 - Nokogiri Command Injection Vulnerability #1915

Closed
flavorjones opened this issue Jul 20, 2019 · 4 comments

Comments

@flavorjones
Copy link
Member

commented Jul 20, 2019

CVE-2019-5477 - Nokogiri Command Injection Vulnerability

This issue has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Nokogiri maintainers.

Severity

Nokogiri maintainers have evaluated this as High (CVSS3 8.1)

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Affected Versions

Nokogiri < v1.10.4

Mitigation

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Further Mitigating Actions Taken

This vulnerability could have been easily detected using Rubocop's Security cop, and so the Security cop has been introduced into the test suite. If for any reason Rubocop flags something as "insecure" in the future, that will fail the test suite and block release.

References


History of this public disclosure

  • 2019-07-20T19:42+00:00: empty issue-of-record created, all information is embargoed
  • 2019-08-11T19:28+00:00: embargo ends, full information made available
@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Aug 10, 2019

Checklist:

  • push commits to v1.10.x branch
  • watch nokogiri-v1.10.x pipeline go green
  • release v1.10.4
  • update this issue with full details
  • apply those commits to master

@flavorjones flavorjones added this to the v1.10.x patch releases milestone Aug 10, 2019

flavorjones added a commit that referenced this issue Aug 11, 2019
flavorjones added a commit that referenced this issue Aug 11, 2019
eliminate `eval` from Builder#initialize
which was raised by Rubocop's security filter

related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
flavorjones added a commit that referenced this issue Aug 11, 2019
update CHANGELOG
related to #1915
@flavorjones

This comment has been minimized.

Copy link
Member Author

commented Aug 11, 2019

v1.10.4 has been released addressing this vulnerability.

flavorjones added a commit that referenced this issue Aug 11, 2019
flavorjones added a commit that referenced this issue Aug 11, 2019
eliminate `eval` from Builder#initialize
which was raised by Rubocop's security filter

related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
flavorjones added a commit that referenced this issue Aug 11, 2019
update CHANGELOG
related to #1915

@flavorjones flavorjones changed the title [placeholder] embargoed security vulnerability CVE-2019-5477 - Nokogiri Command Injection Vulnerability Aug 11, 2019

@touhouota touhouota referenced this issue Aug 12, 2019
va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Aug 13, 2019
Update Nokogiri to protect against CVE-2019-5477 (#11751)
`bundle exec rake security` alerted us to a vulnerability in the Nokogiri library we use for XML and HTML parsing. This PR updates the library to a version that is not vulnerable to the disclosed CVE as per the directions presented by the maintainers (sparklemotion/nokogiri#1915).

```bash
$> bundle exec rake security
...
Updated ruby-advisory-db
ruby-advisory-db: 384 advisories
Looking for ~/Projects/caseflow/.security.yml
bundle-audit check --ignore=
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: Unknown
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Vulnerabilities found!

Failed. Security vulnerabilities were found. Find the dependency in Gemfile.lock,
then specify a safe version of the dependency in the Gemfile (preferred) or
snooze the CVE in .security.yml for a week.
```
dentarg added a commit to twingly/feedbag.herokuapp.com that referenced this issue Aug 14, 2019
dentarg added a commit to twingly/feedjira.herokuapp.com that referenced this issue Aug 14, 2019
@greysteil

This comment has been minimized.

Copy link
Contributor

commented Aug 15, 2019

@flavorjones thanks for all your work on this and everything else you do.

I'm on the security team at GitHub these days, and noticed that this didn't come through to our advisory curation team via the NVD feed, even though you've got a CVE for it. It looks like that's because the CVE has been assigned but not published.

Would you mind prodding HackerOne to mark this as published, now that it's been publicly disclosed? We're also planning to make it easy to get CVEs through GitHub itself and have the publishing process for them automated, so hopefully we can help more here in future.

phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
@reedloden

This comment has been minimized.

Copy link

commented Aug 15, 2019

@greysteil We (HackerOne) submitted it to MITRE for publication this morning (we normally only do this once a week, unless specifically asked to do it sooner). Once they process it, should be all live.

@arku arku referenced this issue Aug 15, 2019
@touhouota touhouota referenced this issue Aug 17, 2019
iszandro added a commit to iszandro/machetito that referenced this issue Aug 19, 2019
@majormoses majormoses referenced this issue Aug 21, 2019
0 of 5 tasks complete
jeffersonlyle-pr added a commit to PrimeRevenue/primerevenue.github.io that referenced this issue Aug 22, 2019
Update Gemfile.lock
Changed the version of Nokogiri to a version that does have suffer from the CVE as advised by the Nokogiri developers:
sparklemotion/nokogiri#1915
zdennis added a commit to Genius/modern_searchlogic that referenced this issue Aug 22, 2019
@ghardytest ghardytest bot referenced this issue Aug 22, 2019
ryanzidago added a commit to ryanzidago/nautica_backend that referenced this issue Aug 23, 2019
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Aug 25, 2019
tsutsui
ruby-nokogiri: update to 1.10.4.
Upstream changelog:
 https://github.com/sparklemotion/nokogiri/blob/v1.10.4/CHANGELOG.md

# 1.10.4 / 2019-08-07

### Security

#### Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem
versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate
lexical scanner code for parsing CSS queries. The underlying
vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded
to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is
sparklemotion/nokogiri#1915
senid231 added a commit to senid231/yeti-web that referenced this issue Aug 26, 2019
fix vulnerability CVE-2019-5477
sparklemotion/nokogiri#1915
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
senid231 added a commit to senid231/yeti-web that referenced this issue Aug 27, 2019
fix vulnerability CVE-2019-5477
sparklemotion/nokogiri#1915
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Cruikshanks added a commit to DEFRA/defra-ruby-area that referenced this issue Aug 28, 2019
Update minimum Nokogiri version to 1.10.4
[CVE-2019-5477](sparklemotion/nokogiri#1915) identifies an issue in Nokogiri version 1.10.3. The resolution is to upgrade to version 1.10.4.

Hakiri is failing our build because our minimum requirement is 1.10.3 hence this change to bump it to the fixed version.
Cruikshanks added a commit to DEFRA/defra-ruby-area that referenced this issue Aug 28, 2019
Update minimum Nokogiri version to 1.10.4 (#11)
[CVE-2019-5477](sparklemotion/nokogiri#1915) identifies an issue in Nokogiri version 1.10.3. The resolution is to upgrade to version 1.10.4.

Hakiri is failing our build because our minimum requirement is 1.10.3 hence this change to bump it to the fixed version.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
Add CVE-2019-5477 the to travis ignore list
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
Add CVE-2019-5477 the to travis ignore list (SOC-9635)
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
Add CVE-2019-5477 the to travis ignore list (SOC-9635)
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.
@ghardytest ghardytest bot referenced this issue Aug 29, 2019
rhafer added a commit to rhafer/crowbar-core that referenced this issue Aug 30, 2019
Add CVE-2019-5477 the to travis ignore list (SOC-9635)
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.

(cherry picked from commit 8400e28)
rhafer added a commit to rhafer/crowbar-core that referenced this issue Aug 30, 2019
Add CVE-2019-5477 the to travis ignore list (SOC-9635)
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.

(cherry picked from commit 8400e28)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.