Bug 28448

This has no registered nor recent maintainer, so assigning it globally. CC'ing Pascal, who maintained it long ago.

CC: (none) => pterjan
Assignee: bugsquad => pkg-bugs

Fedora has issued an advisory for this on February 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/

All 5 relevant commits are part of  https://github.com/sparklemotion/mechanize/pull/548

So https://patch-diff.githubusercontent.com/raw/sparklemotion/mechanize/pull/548.patch gives a combined patch

i rediffed the patch and applied on mga9/8/7

src:
    - ruby-mechanize-2.7.6-2.1.mga7
    - ruby-mechanize-2.7.6-3.1.mga8

Status comment: Fixed upstream in 2.7.7 => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => mageia

Advisory:
========================

Updated ruby-mechanize packages fix security vulnerability:

In Mechanize, from v2.0.0 until v2.7.7, there is a command injection
vulnerability. Affected versions of Mechanize allow for OS commands to be
injected using several classes' methods which implicitly use Ruby's Kernel#open
method (CVE-2021-21289).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21289
https://www.debian.org/lts/security/2021/dla-2561
========================

Updated packages in core/updates_testing:
========================
ruby-mechanize-2.7.6-2.1.mga7
ruby-mechanize-doc-2.7.6-2.1.mga7
ruby-mechanize-2.7.6-3.1.mga8
ruby-mechanize-doc-2.7.6-3.1.mga8

from SRPMS:
ruby-mechanize-2.7.6-2.1.mga7.src.rpm
ruby-mechanize-2.7.6-3.1.mga8.src.rpm

mga8, x64

CVE-2021-21289 : nothing we can follow up.

Installing the bundled gem pulled in these packages:
  ruby-connection_pool           2.2.3        1.mga8        noarch  
  ruby-domain_name               0.5.20190701 1.mga8        noarch  
  ruby-http-cookie               1.0.3        3.mga8        noarch  
  ruby-mechanize                 2.7.6        3.mga8        noarch  
  ruby-mime-types                3.3.1        1.mga8        noarch  
  ruby-mime-types-data           3.2019.1009  1.mga8        noarch  
  ruby-net-http-digest_auth      1.4.1        3.mga8        noarch  
  ruby-net-http-persistent       3.1.0        1.mga8        noarch  
  ruby-nokogiri                  1.11.1       1.mga8        x86_64  
  ruby-ntlm-http                 0.1.1        15.mga8       noarch  
  ruby-racc                      1.5.0        1.mga8        x86_64  
  ruby-rake                      13.0.1       33.mga8       noarch  
  ruby-unf                       0.1.4        3.mga8        noarch  
  ruby-unf_ext                   0.0.7.6      1.mga8        x86_64  
  ruby-webrobots                 0.1.2        3.mga8        noarch  

Introduction at
https://medium.com/@katanatran/beginners-guide-to-website-scraping-with-mechanize-ruby-gem-99d6d797291d

Following the tutorial to get some idea of what "web scraping" means..
The website was not accessible so this could not be taken any further, and in any case it looks like a set of special tools might be required in addition to this package.

Updated ruby-mechanize.

Tried these few lines of code:
$ cat intro.rb
--------------------------------------------------------------------
#!/usr/bin/ruby -W0
require 'mechanize'

mechanize = Mechanize.new
File.write( "mechanics", mechanize.methods )
page = mechanize.get( 'https://www.merriam-webster.com/word-of-the-day' ) 
File.write( "pagemethods", page.methods )
--------------------------------------------------------------------

$ cat mechanics
[:default_encoding, :force_default_encoding, :keep_alive_time, :pluggable_parser, :proxy_addr, :proxy_pass, :proxy_port, :proxy_user, :auth, :basic_auth, :add_auth, :key, :conditional_requests, :conditional_requests=, :cookie_jar, :cookie_jar=, :cookies, :follow_meta_refresh, :follow_meta_refresh=, :follow_meta_refresh_self, :follow_meta_refresh_self=, :gzip_enabled, :gzip_enabled=, :idle_timeout, :idle_timeout=, :ignore_bad_chunking, :ignore_bad_chunking=, :keep_alive,
....................
 :pretty_print_cycle, :pretty_print_inspect, :pretty_print_instance_variables, :dup, :itself, :yield_self, :then, :taint, :tainted?, :untaint, :untrust, :untrusted?, :trust, :frozen?, :methods, :singleton_methods, :protected_methods, :private_methods, :public_methods, :instance_variables, :instance_variable_get, :instance_variable_set, :instance_variable_defined?, :remove_instance_variable, :instance_of?, :kind_of?, :is_a?, :tap, :clone, :display, :hash, :class, :singleton_class, :public_send, :method, :public_method, :singleton_method, :define_singleton_method, :extend, :pretty_inspect, :to_enum, :enum_for, :<=>, :===, :=~, :!~, :nil?, :eql?, :respond_to?, :freeze, :inspect, :object_id, :send, :to_s, :__send__, :!, :==, :!=, :equal?, :__id__, :instance_eval, :instance_exec]

This is the sort of output one would expect.

$ irb
require 'mechanize'
=> true
mechanize = Mechanize.new
=> #<Mechanize:0x0000000001cd9078 @agent=#<Mechanize::HTTP::Agent:0x0000000...
irb(main):004:0> page = mechanize.get( 'https://www.merriam-webster.com/word-of-
the-day' )
=> 
#<Mechanize::Page
...
irb(main):005:0> puts page.link
<blank lines>
=> nil
irb(main):006:0> puts page.title
Word of the Day: Abhor | Merriam-Webster
=> nil
irb(main):007:0> 
irb(main):008:0> page.body
<This returns a chunk of HTML code>
irb(main):008:0> exit

The functionality seems to be OK but we do not have the expertise to push this any further.  Giving it an OK.

CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

The Merriam Webster page came up OK on another attempt and presented Abhor as the word-of-the-day.

MGA7-64 MATE on Peaq C1011
No installation issues.
Trying to follow Len's tests  above 
The first test with the intro.rb file is OK, but the second example fails in the way that after the page call, I get
irb(main):004:0> puts page.link
Traceback (most recent call last):
        2: from /usr/bin/irb:11:in `<main>'
        1: from (irb):4
NameError (undefined local variable or method `page' for main:Object)
irb(main):005:0> puts page.title
Traceback (most recent call last):
        2: from /usr/bin/irb:11:in `<main>'
        1: from (irb):5
NameError (undefined local variable or method `page' for main:Object)
irb(main):006:0> 
Looking at the line numbering, it looks like some line is missing from the code, and lookking at the site Len is refering to, I think it should be a "page.search" statement, but I have no idea what the parameters should be.
This looks really like developer's stuff, which we often have OK'ed in the past on  clean install.

CC: (none) => herman.viaene

@Herman, referring to comment 8:

That is odd.  I ran the script with ruby and it worked fine.
This is the file used here:

#!/usr/bin/ruby -W0
require 'mechanize'
mechanize = Mechanize.new
File.write( "mechanics", mechanize.methods )
page = mechanize.get( 'https://www.merriam-webster.com/word-of-the-day' ) 
File.write( "pagemethods", page.methods )

$ ruby intro.rb

The code can also be dropped into IRB as is - cut&paste the text.
That works here but I hit encoding problems when adding this instruction:

puts page.body
which raises an error:
Encoding::UndefinedConversionError ("\xC2" from ASCII-8BIT to UTF-8)
ruby can handle encoding conversions but it can be confusing where you apply such conversions.  For instance, if the puts page.body instruction is included in the file and you do
$ ruby intro.rb

This returns squillions of lines of HTML ending with

            
    <!-- Facebook Pixel Code -->
<script>
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', '673022290083244');
fbq('track', 'PageView');
</script>
<noscript><img height="1" width="1" style="display:none"
src="https://www.facebook.com/tr?id=673022290083244&ev=PageView&noscript=1"
/></noscript>
<!-- End Facebook Pixel Code -->  </body>
</html>

So essentially no problem.

However, just noticed the ellipsis in my report, the ... was meant to signify the missing lines in the irb input/output so you are correct; the "page = ..." command is missing.  Just trying to reduce the verbiage.  Sorry about that.

The attributes are returned by parameters like page.title, page.body, page.whatever.  Again, apologies.  Just OK the package.

OK then, tx for looking into it.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Good work, Gentlemen! Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory committed to svn.

CVE: (none) => CVE-2021-21289
Keywords: (none) => advisory
CC: (none) => ouaurelien

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0124.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED