Upstream has issued an advisory on May 8: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m Fedora has issued an advisory for this today (May 19): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4J4GGCK2IK6R7HJKHPGPCCZRBXEWHBVC/ The issue is fixed upstream in 1.13.6. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.13.6
Cauldron now has 1.13.6 For Mageia 8, I will add the fix from https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Reproducer: ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)' Before: $ ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)' /usr/share/gems/gems/nokogiri-1.11.1/lib/nokogiri/xml/sax/parser.rb:109: [BUG] Segmentation fault at 0x0000000195fd95fd ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a) [x86_64-linux] [...] Aborted (core dumped) After: $ ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)' /usr/share/gems/gems/nokogiri-1.13.6/lib/nokogiri/xml/sax/parser.rb:111:in `memory': wrong argument type Integer (expected String) (TypeError) from /usr/share/gems/gems/nokogiri-1.13.6/lib/nokogiri/xml/sax/parser.rb:111:in `parse_memory' from /usr/share/gems/gems/nokogiri-1.13.6/lib/nokogiri/xml/sax/parser.rb:85:in `parse' from -e:1:in `<main>'
Packages were uploaded for Mageia 8 updates_testing: ruby-nokogiri-1.11.7-1.1.mga8.src.rpm ruby-nokogiri-doc-1.11.7-1.1.mga8 ruby-nokogiri-1.11.7-1.1.mga8
Status comment: Fixed upstream in 1.13.6 => (none)Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Ran this update again, mga8, x64 After updating the reproducer did not abort: $ ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)' Traceback (most recent call last): 3: from -e:1:in `<main>' 2: from /usr/share/gems/gems/nokogiri-1.11.7/lib/nokogiri/xml/sax/parser.rb:84:in `parse' 1: from /usr/share/gems/gems/nokogiri-1.11.7/lib/nokogiri/xml/sax/parser.rb:109:in `parse_memory' /usr/share/gems/gems/nokogiri-1.11.7/lib/nokogiri/xml/sax/parser.rb:109:in `memory': wrong argument type Integer (expected String) (TypeError) Not sure how to test this but tried an IRB session using a TV channel list file generated by w_scan2 for vlc. $ irb irb(main):001:0> require "nokogiri" => true irb(main):002:0> file = "channels.xspf" => "channels.xspf" irb(main):003:0> doc = File.read( file ) => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<playlist xmlns=\"h... irb(main):004:0> check = Nokogiri::XML( doc ) => #<Nokogiri::XML::Document:0xec68 name="document" children=[#<Nok... irb(main):005:0> puts check.errors => nil irb(main):006:0> exit ruby-mechanize and ruby-xpath require ruby-nokogiri but I know nothing about them. ruby-mechanize is available in Mageia8. It looks like a web tool of some kind - too complicated for me. Giving this an OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0200.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED