Bug 691974 (CVE-2019-5477)

Summary:	<dev-ruby/nokogiri-1.10.4: Command injection allowing commands to be executed in a subprocess by Ruby's `Kernel.open` method (CVE-2019-5477)
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+ cve]
Package list:	dev-ruby/nokogiri-1.10.4 dev-ruby/rexical-1.0.7	Runtime testing required:	---

Description Jeroen Roovers (RETIRED) gentoo-dev

2019-08-12 05:21:10 UTC

Nokogiri 1.10.4 has been released.

This is a security release. Summary details are below, and full details are
at https://github.com/sparklemotion/nokogiri/issues/1915

---

## 1.10.4 / 2019-08-11

### Security

#### Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions
v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
code for parsing CSS queries. The underlying vulnerability was addressed in
Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri
v1.10.4.

This CVE's public notice is
https://github.com/sparklemotion/nokogiri/issues/1915

Comment 1 Larry the Git Cow gentoo-dev

2019-08-12 07:02:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=caf197d03fb9a2e355844d12defdfa60db61ccc7

commit caf197d03fb9a2e355844d12defdfa60db61ccc7
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2019-08-12 07:02:20 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2019-08-12 07:02:35 +0000

    dev-ruby/nokogiri: add 1.10.4
    
    Bug: https://bugs.gentoo.org/691974
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/nokogiri/Manifest               |  1 +
 dev-ruby/nokogiri/nokogiri-1.10.4.ebuild | 91 ++++++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+)

Comment 2 Hans de Graaff gentoo-dev

2019-08-12 07:10:47 UTC

Please test and mark stable.

Comment 3 Agostino Sarubbo gentoo-dev

2019-08-13 09:18:12 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-08-13 13:13:40 UTC

ppc64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-08-13 13:14:44 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-08-13 14:53:45 UTC

ia64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-08-13 14:54:51 UTC

sparc stable

Comment 8 Hans de Graaff gentoo-dev

2019-08-14 05:15:15 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-08-14 07:35:52 UTC

alpha stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2019-09-01 18:17:46 UTC

arm stable

Comment 11 Mikle Kolyada (RETIRED) archtester

2019-09-01 18:18:10 UTC

s390 stable

Comment 12 Rolf Eike Beer archtester

2019-12-05 22:28:38 UTC

hppa stable

Comment 13 Hans de Graaff gentoo-dev

2019-12-06 06:16:31 UTC

Cleanup done.

Comment 14 NATTkA bot gentoo-dev

2020-04-06 15:07:08 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 15 Yury German Gentoo Infrastructure

2020-05-22 01:45:15 UTC

Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2020-06-13 01:08:15 UTC

This issue was resolved and addressed in
 GLSA 202006-05 at https://security.gentoo.org/glsa/202006-05
by GLSA coordinator Aaron Bauman (b-man).