This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.
References:
CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.
CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.
Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8
If you are using Nokogiri <= v1.10.7, please upgrade to v1.10.8 or later.
permalink: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19956.html
bug report: https://gitlab.gnome.org/GNOME/libxml2/issues/82
description:
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
priority: __low__
fix commit: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549
in upstream libxml2 release?
$ git tag --contains 5a02583c7e683896d84878bd90641d8d9b0d0549
v2.9.10
v2.9.10-rc1
permalink: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7595.html
bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582
description:
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
priority: __medium__
fix commit: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5
in upstream libxml2 release?
$ git tag --contains 0e1a49c8907645d2e155f0d89d4d9895ac5112b5
# no, not in an upstream release
CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.
CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.
Nokogiri should backport the patch for CVE-2020-7595 into its vendored version of libxml2.
Patch has been backported onto master. Now waiting for the v1.10.x branch to go green so I can cut a patch release.
v1.10.8 has been released: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8
Most helpful comment
v1.10.8 has been released: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8