Debian-LTS has issued an advisory on February 17: https://www.debian.org/lts/security/2021/dla-2561 The issue is fixed upstream in 2.7.7: https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 2.7.7Whiteboard: (none) => MGA8TOO, MGA7TOO
This has no registered nor recent maintainer, so assigning it globally. CC'ing Pascal, who maintained it long ago.
CC: (none) => pterjanAssignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on February 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNFZ7ROYS6V4J5L5PRAJUG2AWC7VXR2V/
All 5 relevant commits are part of https://github.com/sparklemotion/mechanize/pull/548 So https://patch-diff.githubusercontent.com/raw/sparklemotion/mechanize/pull/548.patch gives a combined patch
i rediffed the patch and applied on mga9/8/7 src: - ruby-mechanize-2.7.6-2.1.mga7 - ruby-mechanize-2.7.6-3.1.mga8
Status comment: Fixed upstream in 2.7.7 => (none)Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOCC: (none) => mageia
Advisory: ======================== Updated ruby-mechanize packages fix security vulnerability: In Mechanize, from v2.0.0 until v2.7.7, there is a command injection vulnerability. Affected versions of Mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel#open method (CVE-2021-21289). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21289 https://www.debian.org/lts/security/2021/dla-2561 ======================== Updated packages in core/updates_testing: ======================== ruby-mechanize-2.7.6-2.1.mga7 ruby-mechanize-doc-2.7.6-2.1.mga7 ruby-mechanize-2.7.6-3.1.mga8 ruby-mechanize-doc-2.7.6-3.1.mga8 from SRPMS: ruby-mechanize-2.7.6-2.1.mga7.src.rpm ruby-mechanize-2.7.6-3.1.mga8.src.rpm
mga8, x64 CVE-2021-21289 : nothing we can follow up. Installing the bundled gem pulled in these packages: ruby-connection_pool 2.2.3 1.mga8 noarch ruby-domain_name 0.5.20190701 1.mga8 noarch ruby-http-cookie 1.0.3 3.mga8 noarch ruby-mechanize 2.7.6 3.mga8 noarch ruby-mime-types 3.3.1 1.mga8 noarch ruby-mime-types-data 3.2019.1009 1.mga8 noarch ruby-net-http-digest_auth 1.4.1 3.mga8 noarch ruby-net-http-persistent 3.1.0 1.mga8 noarch ruby-nokogiri 1.11.1 1.mga8 x86_64 ruby-ntlm-http 0.1.1 15.mga8 noarch ruby-racc 1.5.0 1.mga8 x86_64 ruby-rake 13.0.1 33.mga8 noarch ruby-unf 0.1.4 3.mga8 noarch ruby-unf_ext 0.0.7.6 1.mga8 x86_64 ruby-webrobots 0.1.2 3.mga8 noarch Introduction at https://medium.com/@katanatran/beginners-guide-to-website-scraping-with-mechanize-ruby-gem-99d6d797291d Following the tutorial to get some idea of what "web scraping" means.. The website was not accessible so this could not be taken any further, and in any case it looks like a set of special tools might be required in addition to this package. Updated ruby-mechanize. Tried these few lines of code: $ cat intro.rb -------------------------------------------------------------------- #!/usr/bin/ruby -W0 require 'mechanize' mechanize = Mechanize.new File.write( "mechanics", mechanize.methods ) page = mechanize.get( 'https://www.merriam-webster.com/word-of-the-day' ) File.write( "pagemethods", page.methods ) -------------------------------------------------------------------- $ cat mechanics [:default_encoding, :force_default_encoding, :keep_alive_time, :pluggable_parser, :proxy_addr, :proxy_pass, :proxy_port, :proxy_user, :auth, :basic_auth, :add_auth, :key, :conditional_requests, :conditional_requests=, :cookie_jar, :cookie_jar=, :cookies, :follow_meta_refresh, :follow_meta_refresh=, :follow_meta_refresh_self, :follow_meta_refresh_self=, :gzip_enabled, :gzip_enabled=, :idle_timeout, :idle_timeout=, :ignore_bad_chunking, :ignore_bad_chunking=, :keep_alive, .................... :pretty_print_cycle, :pretty_print_inspect, :pretty_print_instance_variables, :dup, :itself, :yield_self, :then, :taint, :tainted?, :untaint, :untrust, :untrusted?, :trust, :frozen?, :methods, :singleton_methods, :protected_methods, :private_methods, :public_methods, :instance_variables, :instance_variable_get, :instance_variable_set, :instance_variable_defined?, :remove_instance_variable, :instance_of?, :kind_of?, :is_a?, :tap, :clone, :display, :hash, :class, :singleton_class, :public_send, :method, :public_method, :singleton_method, :define_singleton_method, :extend, :pretty_inspect, :to_enum, :enum_for, :<=>, :===, :=~, :!~, :nil?, :eql?, :respond_to?, :freeze, :inspect, :object_id, :send, :to_s, :__send__, :!, :==, :!=, :equal?, :__id__, :instance_eval, :instance_exec] This is the sort of output one would expect. $ irb require 'mechanize' => true mechanize = Mechanize.new => #<Mechanize:0x0000000001cd9078 @agent=#<Mechanize::HTTP::Agent:0x0000000... irb(main):004:0> page = mechanize.get( 'https://www.merriam-webster.com/word-of- the-day' ) => #<Mechanize::Page ... irb(main):005:0> puts page.link <blank lines> => nil irb(main):006:0> puts page.title Word of the Day: Abhor | Merriam-Webster => nil irb(main):007:0> irb(main):008:0> page.body <This returns a chunk of HTML code> irb(main):008:0> exit The functionality seems to be OK but we do not have the expertise to push this any further. Giving it an OK.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
The Merriam Webster page came up OK on another attempt and presented Abhor as the word-of-the-day.
MGA7-64 MATE on Peaq C1011 No installation issues. Trying to follow Len's tests above The first test with the intro.rb file is OK, but the second example fails in the way that after the page call, I get irb(main):004:0> puts page.link Traceback (most recent call last): 2: from /usr/bin/irb:11:in `<main>' 1: from (irb):4 NameError (undefined local variable or method `page' for main:Object) irb(main):005:0> puts page.title Traceback (most recent call last): 2: from /usr/bin/irb:11:in `<main>' 1: from (irb):5 NameError (undefined local variable or method `page' for main:Object) irb(main):006:0> Looking at the line numbering, it looks like some line is missing from the code, and lookking at the site Len is refering to, I think it should be a "page.search" statement, but I have no idea what the parameters should be. This looks really like developer's stuff, which we often have OK'ed in the past on clean install.
CC: (none) => herman.viaene
@Herman, referring to comment 8: That is odd. I ran the script with ruby and it worked fine. This is the file used here: #!/usr/bin/ruby -W0 require 'mechanize' mechanize = Mechanize.new File.write( "mechanics", mechanize.methods ) page = mechanize.get( 'https://www.merriam-webster.com/word-of-the-day' ) File.write( "pagemethods", page.methods ) $ ruby intro.rb The code can also be dropped into IRB as is - cut&paste the text. That works here but I hit encoding problems when adding this instruction: puts page.body which raises an error: Encoding::UndefinedConversionError ("\xC2" from ASCII-8BIT to UTF-8) ruby can handle encoding conversions but it can be confusing where you apply such conversions. For instance, if the puts page.body instruction is included in the file and you do $ ruby intro.rb This returns squillions of lines of HTML ending with <!-- Facebook Pixel Code --> <script> !function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window, document,'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '673022290083244'); fbq('track', 'PageView'); </script> <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=673022290083244&ev=PageView&noscript=1" /></noscript> <!-- End Facebook Pixel Code --> </body> </html> So essentially no problem. However, just noticed the ellipsis in my report, the ... was meant to signify the missing lines in the irb input/output so you are correct; the "page = ..." command is missing. Just trying to reduce the verbiage. Sorry about that. The attributes are returned by parameters like page.title, page.body, page.whatever. Again, apologies. Just OK the package.
OK then, tx for looking into it.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Good work, Gentlemen! Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory committed to svn.
CVE: (none) => CVE-2021-21289Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0124.html
Status: NEW => RESOLVEDResolution: (none) => FIXED