Nokogiri: Investigate libxml2 vulnerabilities patched in USN-4274-1

Created on 10 Feb 2020  路  4Comments  路  Source: sparklemotion/nokogiri

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:


Summary

Synthesis

CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Actions

Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8

If you are using Nokogiri <= v1.10.7, please upgrade to v1.10.8 or later.


History of this notification

  • 2020-02-10: USN-4274-1 published by Canonical
  • 2020-02-10: this github issue created
  • 2020-02-10: Nokogiri v1.10.8 is released with patched libxml2
topisecurity vendorelibxml2

Most helpful comment

All 4 comments

Analysis

CVE-2019-19956

permalink: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19956.html

bug report: https://gitlab.gnome.org/GNOME/libxml2/issues/82

description:

xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.

priority: __low__

fix commit: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549

in upstream libxml2 release?

$ git tag --contains 5a02583c7e683896d84878bd90641d8d9b0d0549
v2.9.10
v2.9.10-rc1

CVE-2020-7595

permalink: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7595.html

bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582

description:

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

priority: __medium__

fix commit: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5

in upstream libxml2 release?

$ git tag --contains 0e1a49c8907645d2e155f0d89d4d9895ac5112b5
# no, not in an upstream release

Synthesis

CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Recommendations

Nokogiri should backport the patch for CVE-2020-7595 into its vendored version of libxml2.

Patch has been backported onto master. Now waiting for the v1.10.x branch to go green so I can cut a patch release.

Was this page helpful?
0 / 5 - 0 ratings