Nokogiri: Investigate Ubuntu libxml2 patches in USN-3424-1

Created on 19 Sep 2017  路  8Comments  路  Source: sparklemotion/nokogiri

USN-3424-1: libxml2 vulnerabilities

Present in rootfs

https://github.com/cloudfoundry/security-notices/issues/336
Ubuntu Security Notice USN-3424-1

18th September, 2017

libxml2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 17.04
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Summary

Several security issues were fixed in libxml2.

Software description

libxml2 - GNOME XML library
Details

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that
could cause a denial of service or possibly execute arbitrary
code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML
data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel B枚hme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-9047)

Marcel B枚hme and Van-Thuan Pham discovered a buffer overread
in libxml2 when handling elements. An attacker could use this
to specially construct XML data that could cause a denial of
service. (CVE-2017-9048)

Marcel B枚hme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libxml2 2.9.4+dfsg1-2.2ubuntu0.1
Ubuntu 16.04 LTS:
libxml2 2.9.3+dfsg1-1ubuntu0.3
Ubuntu 14.04 LTS:
libxml2 2.9.1+dfsg1-3ubuntu4.10
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0663, CVE-2017-7375, CVE-2017-7376, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050
topisecurity vendorelibxml2

Most helpful comment

v1.8.1 has shipped, updating nokogiri to libxml 2.9.5.

All 8 comments

It's likely that upgrading to libxml 2.9.5 will pull in these patches, I need to confirm that. If that's the case I expect to be able to turn around an update today.

checking if these patches are all in 2.9.5, looks like they are (note two patches are repeated in two CVEs):

curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 92b9e8c8b3787068565a1820ba575d042f9eec66
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 90ccb58242866b0ba3edbef8fe44214a101c2b3e
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 932cc9896ab41475d4aa429c27d9afd175959d74
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains e26630548e7d138d2c560844c43820b6767251e3
v2.9.5
v2.9.5-rc1
v2.9.5-rc2

OK, mitigation is going to be updating nokogiri to libxml 2.9.5, which is actually master and ready to release.

v1.8.1 has shipped, updating nokogiri to libxml 2.9.5.

Thanks for your hard work, as always!

:bow:

馃憦

Was this page helpful?
0 / 5 - 0 ratings