Bug 30322

Summary: ruby-nokogiri new security issue CVE-2022-24836
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, java, mageia, pterjan, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ruby-nokogiri-1.11.1-6.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-04-22 20:15:39 CEST 
Fedora has issued an advisory on April 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/

The issue is fixed upstream in 1.13.4:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Additionally, it doesn't seem to use the system nekohtml, so is probably bundling the fork which is affected by CVE-2022-24839:
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Whether the system nekohtml is affected is not clear, but it sounds like only nokogiri on JRuby is affected by this issue.  Very confusing.

Mageia 8 is also affected.
David Walser 2022-04-22 20:16:01 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.13.4
CC: (none) => java, mageia

Comment 1 Pascal Terjan 2022-04-22 20:30:15 CEST 
nokogiri when built as native module for ruby is C code using libxml2 while when built for jruby it is java code based on xerces. We don't provide the jruby binary, so I believe we are not affected by CVE-2022-24839.
Comment 2 David Walser 2022-04-22 21:14:29 CEST 
That sounds right.  Do you have any idea if our nekohtml package (which is java) is affected?
Comment 3 David Walser 2022-04-23 02:10:03 CEST 
ruby-nokogiri-1.13.4-1.mga9 uploaded for Cauldron by Pascal.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 4 Pascal Terjan 2022-05-06 16:39:26 CEST 
ruby-nokogiri-1.11.1-1.1.mga8 is currently being uploaded (that's quite a few 1s).

Suggested reproducer:

time ruby -rnokogiri -e 's="<?xml " + (" " * 40000); s.encode!("ASCII-8BIT"); Nokogiri::HTML(s)'

Here before the update it takes 15s, after the update it takes 0.08s
Comment 5 David Walser 2022-05-06 17:39:47 CEST 
ruby-nokogiri-1.11.1-1.1.mga8
ruby-nokogiri-doc-1.11.1-1.1.mga8

from ruby-nokogiri-1.11.1-1.1.mga8.src.rpm

Status comment: Fixed upstream in 1.13.4 => (none)
Assignee: pterjan => qa-bugs
CC: (none) => pterjan

Comment 6 Len Lawrence 2022-05-07 11:34:15 CEST 
mga8, x86_64

Removed ruby gem nokogiri.  Installed ruby-nokogiri.
Tried Pascal's reproducer.
Before update:
$ time ruby -rnokogiri -e 's="<?xml " + (" " * 40000); s.encode!("ASCII-8BIT"); Nokogiri::HTML(s)'

real	0m5.181s

After update:
$ time ruby -rnokogiri -e 's="<?xml " + (" " * 40000); s.encode!("ASCII-8BIT"); Nokogiri::HTML(s)'

real	0m0.076s

Used the bundled gem to parse an XML playlist.
$ irb
irb(main):001:0> require "nokogiri"
=> true
irb(main):002:0> file = "channels.xspf"
=> "channels.xspf"
irb(main):003:0> doc = File.read( file )
=> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<playlist xmlns=\"h...
irb(main):004:0> check = Nokogiri::XML( doc )
=> #<Nokogiri::XML::Document:0xec68 name="document" children=[#<Nok...
irb(main):005:0> puts check.errors
=> nil

Likewise for a 6 MB HTML file.
irb(main):007:0> file = "bookmarks.html"
=> "bookmarks.html"
irb(main):008:0> html = File.read( file )
=> "<!DOCTYPE NETSCAPE-Bookmark-file-1>\n<!-- This is an automatica...
irb(main):009:0> doc = Nokogiri::HTML( html )
=> #<Nokogiri::HTML::Document:0x943cc name="document" children=[#<N...
irb(main):010:0> puts doc.errors
[...]
3721:127: ERROR: htmlParseEntityRef: expecting ';'
3721:140: ERROR: htmlParseEntityRef: expecting ';'
=> nil
irb(main):011:0> puts doc.errors.length
1315

<In fact these errors don't seem to affect a browser.>

I have no useful knowledge of this subject so tried a simple example at https://riptutorial.com/nokogiri.
$ irb search.rb
search.rb(main):001:0> require 'nokogiri'
=> true
search.rb(main):002:0> 
search.rb(main):003:0> doc = Nokogiri::HTML(<<EOT)
search.rb(main):004:-" <html>
search.rb(main):005:-"   <body>
search.rb(main):006:-"     <p>foo</p>
search.rb(main):007:-"     <p>bar</p>
search.rb(main):008:-"   </body>
search.rb(main):009:-" </html>
search.rb(main):010:-" EOT
=> #<Nokogiri::HTML::Document:0x17c name="document" children=[#<Nokogiri::X...
search.rb(main):011:0> 
search.rb(main):012:0> doc.search('p').text        # => "foobar"
=> "foobar"
search.rb(main):013:0> doc.search('p').map(&:text) # => ["foo", "bar"]
=> ["foo", "bar"]

Good enough.  OK for 64 bits.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 7 Thomas Andrews 2022-05-07 15:00:09 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-08 01:58:57 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-05-08 10:01:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0164.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED