Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
CVE: (none) => CVE-2020-26247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26247 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m https://ubuntu.com/security/CVE-2020-26247 https://bugzilla.redhat.com/show_bug.cgi?id=1912487
Whiteboard: (none) => MGA7TOOSummary: ruby-nokogiri security issue CVE-2020-26247 => ruby-nokogiri new security issue CVE-2020-26247
Status comment: (none) => Patch available from upstream
Freeze push asked
CC: (none) => mageia
Checked not a duplicate. Assigning to Pascal as the main committer of this; NicolasL is alreadyy CC'd.
Assignee: bugsquad => pterjan
fixed in cauldron
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Fixed in ruby-nokogiri-1.11.1-1.mga8.
SUSE has issued an advisory for this today (January 25): https://lists.suse.com/pipermail/sle-security-updates/2021-January/008244.html It also fixes another CVE, fixed upstream in 1.10.4.
Summary: ruby-nokogiri new security issue CVE-2020-26247 => ruby-nokogiri new security issues CVE-2019-5477 and CVE-2020-26247Status comment: Patch available from upstream => Patches available from upstreamSource RPM: ruby-nokogiri-1.10.10-1.mga8.src.rpm => ruby-nokogiri-1.10.1-1.mga7.src.rpm
Status: NEW => ASSIGNED
Given that there are a few behaviour changes / removed methods in 1.11.0 I will go with 1.10.10 + patch for CVE-2020-26247 for Mageia 7
ruby-nokogiri-1.10.10-1.mga7 is in core/updates_testing
Advisory: ======================== Updated ruby-nokogiri packages fix security vulnerabilities: A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477). In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible (CVE-2020-26247). The ruby-nokogiri package has been updated to version 1.10.10 to fix CVE-2019-5477 and patched to fix CVE-2020-26247. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247 https://github.com/sparklemotion/nokogiri/releases/ https://lists.suse.com/pipermail/sle-security-updates/2021-January/008244.html ======================== Updated packages in core/updates_testing: ======================== ruby-nokogiri-1.10.10-1.mga7 ruby-nokogiri-doc-1.10.10-1.mga7 from ruby-nokogiri-1.10.10-1.mga7.src.rpm
Status comment: Patches available from upstream => (none)Assignee: pterjan => qa-bugsCC: (none) => pterjan
Created attachment 12300 [details] A few basic commands for nokogiri in a ruby script The channels.xspf file should be replaced by whatever XML file is to hand.
CC: (none) => tarazed25
mga7, x86_64 Installed nokogiri and updated the two packages because there is no easy way to demonstrate an exploit. Consulted https://nokogiri.org/tutorials/parsing_an_html_xml_document.html for help running a few basic commands - see the attached script. $ ruby nokogiri_trial.rb <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><h1>Mr. Belvedere Fan Club</h1></body></html> <?xml version="1.0"?> <root> <aliens> <alien> <name>Alf</name> </alien> </aliens> </root> <?xml version="1.0" encoding="UTF-8"?> <playlist xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/" version="1"> <title>DVB Playlist</title> <creator>w_scan2-1.0.9</creator> <info>https://github.com/stefantalpalaru/w_scan2</info> <trackList> <track> <title>0001. STV</title> <location>dvb-t://frequency=498000000</location> <extension application="http://www.videolan.org/vlc/playlist/0"> Al Bundy Bud Bundy Marcy Darcy Larry Appleton Balki Bartokomous John "Hannibal" Smith Templeton "Face" Peck "B.A." Baracus "Howling Mad" Murdock shows.xml was copied from the tutorial site. There is a lot more to the parser than this but it is too big a job to take this any further so it can be sent on.
Created attachment 12301 [details] Specimen XML file This was copied from the tutorial pages at https://nokogiri.org/tutorials/parsing_an_html_xml_document.html The web_doc.html file is written on the fly.
Whiteboard: (none) => MGA7-64-OK
Created attachment 12302 [details] Script with some basic commands for ruby nokogiri
Validating. Advisory in Comment 9.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory commited to SVN.
Keywords: (none) => advisoryCVE: CVE-2020-26247 => CVE-2019-5477, CVE-2020-26247CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0063.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED