Bug 30451 - ruby-nokogiri new security issue CVE-2022-29181
Summary: ruby-nokogiri new security issue CVE-2022-29181
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-05-19 18:58 CEST by David Walser
Modified: 2022-05-22 13:27 CEST (History)
5 users (show)

See Also:
Source RPM: ruby-nokogiri-1.11.1-1.1.mga8.src.rpm
Status comment:


Description David Walser 2022-05-19 18:58:19 CEST
Upstream has issued an advisory on May 8:

Fedora has issued an advisory for this today (May 19):

The issue is fixed upstream in 1.13.6.

Mageia 8 is also affected.
David Walser 2022-05-19 18:58:40 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.13.6

Comment 1 Pascal Terjan 2022-05-21 11:33:35 CEST
Cauldron now has 1.13.6

For Mageia 8, I will add the fix from https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
David Walser 2022-05-21 16:41:19 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 Pascal Terjan 2022-05-21 19:53:40 CEST
ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)'

$ ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)'
/usr/share/gems/gems/nokogiri-1.11.1/lib/nokogiri/xml/sax/parser.rb:109: [BUG] Segmentation fault at 0x0000000195fd95fd
ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a) [x86_64-linux]
Aborted (core dumped)

$ ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)'
/usr/share/gems/gems/nokogiri-1.13.6/lib/nokogiri/xml/sax/parser.rb:111:in `memory': wrong argument type Integer (expected String) (TypeError)
	from /usr/share/gems/gems/nokogiri-1.13.6/lib/nokogiri/xml/sax/parser.rb:111:in `parse_memory'
	from /usr/share/gems/gems/nokogiri-1.13.6/lib/nokogiri/xml/sax/parser.rb:85:in `parse'
	from -e:1:in `<main>'
Comment 3 Pascal Terjan 2022-05-21 19:59:11 CEST
Packages were uploaded for Mageia 8 updates_testing:


Pascal Terjan 2022-05-21 20:00:09 CEST

Status comment: Fixed upstream in 1.13.6 => (none)
Assignee: pterjan => qa-bugs

David Walser 2022-05-21 20:04:23 CEST

CC: (none) => pterjan

Comment 4 Len Lawrence 2022-05-21 20:30:23 CEST
Ran this update again, mga8, x64

After updating the reproducer did not abort:
$ ruby -rnokogiri -e 'Nokogiri::XML::SAX::Parser.new.parse(0xcafecafe)'
Traceback (most recent call last):
	3: from -e:1:in `<main>'
	2: from /usr/share/gems/gems/nokogiri-1.11.7/lib/nokogiri/xml/sax/parser.rb:84:in `parse'
	1: from /usr/share/gems/gems/nokogiri-1.11.7/lib/nokogiri/xml/sax/parser.rb:109:in `parse_memory'
/usr/share/gems/gems/nokogiri-1.11.7/lib/nokogiri/xml/sax/parser.rb:109:in `memory': wrong argument type Integer (expected String) (TypeError)

Not sure how to test this but tried an IRB session using a TV channel list file generated by w_scan2 for vlc.
$ irb
irb(main):001:0> require "nokogiri"
=> true
irb(main):002:0> file = "channels.xspf"
=> "channels.xspf"
irb(main):003:0> doc = File.read( file )
=> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<playlist xmlns=\"h...
irb(main):004:0> check = Nokogiri::XML( doc )
=> #<Nokogiri::XML::Document:0xec68 name="document" children=[#<Nok...
irb(main):005:0> puts check.errors
=> nil
irb(main):006:0> exit

ruby-mechanize and ruby-xpath require ruby-nokogiri but I know nothing about them.  ruby-mechanize is available in Mageia8.  It looks like a web tool of some kind - too complicated for me.

Giving this an OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-05-22 01:52:42 CEST

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-22 04:15:22 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-22 13:27:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.