Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 762685 (CVE-2020-26247)

Summary: <dev-ruby/nokogiri-1.11.0: XXE vulnerability (CVE-2020-26247)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-30 22:00:21 UTC 
CVE-2020-26247:

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.


Needs a bump but fixed version is only an rc version so waiting may be a good
idea too.
Comment 1 Hans de Graaff gentoo-dev Security 2020-12-31 06:42:07 UTC 
(In reply to John Helmert III (ajak) from comment #0)

> Needs a bump but fixed version is only an rc version so waiting may be a good
> idea too.

Yes, we'll wait for an official release.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-05 06:28:59 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec

commit c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-01-05 06:28:47 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-01-05 06:28:47 +0000

    dev-ruby/nokogiri: add 1.11.0
    
    Closes: https://bugs.gentoo.org/705334
    Closes: https://bugs.gentoo.org/762685
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/nokogiri/Manifest               |  1 +
 dev-ruby/nokogiri/nokogiri-1.11.0.ebuild | 98 ++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-05 06:48:26 UTC 
Need to keep open for stabling etc. Thanks for the bump! Let us know when it’s ready.
Comment 4 NATTkA bot gentoo-dev 2021-01-10 08:36:53 UTC Comment hidden (obsolete)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 01:52:42 UTC 
What do we think?
Comment 6 Hans de Graaff gentoo-dev Security 2021-02-07 10:54:51 UTC 
Please test and mark stable.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 17:25:28 UTC 
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 17:26:59 UTC 
x86 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 06:15:54 UTC 
s390 done
Comment 10 Rolf Eike Beer archtester 2021-02-09 14:16:31 UTC 
sparc stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 08:00:41 UTC 
ppc64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-13 17:57:50 UTC 
arm64 done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 20:36:40 UTC 
arm done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 08:27:03 UTC 
ppc done

all arches done
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-19 01:18:10 UTC 
Please cleanup
Comment 16 Hans de Graaff gentoo-dev Security 2021-02-21 10:45:40 UTC 
cleanup done.
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-21 15:45:00 UTC 
(In reply to Hans de Graaff from comment #16)
> cleanup done.

Thanks!
Comment 18 NATTkA bot gentoo-dev 2021-07-29 17:24:47 UTC Comment hidden (obsolete)
Comment 19 NATTkA bot gentoo-dev 2021-07-29 17:33:18 UTC Comment hidden (obsolete)
Comment 20 NATTkA bot gentoo-dev 2021-07-29 17:41:09 UTC Comment hidden (obsolete)
Comment 21 NATTkA bot gentoo-dev 2021-07-29 17:49:19 UTC Comment hidden (obsolete)
Comment 22 NATTkA bot gentoo-dev 2021-07-29 18:05:14 UTC Comment hidden (obsolete)
Comment 23 NATTkA bot gentoo-dev 2021-07-29 18:13:33 UTC 
Package list is empty or all packages have requested keywords.
Comment 24 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:54:51 UTC 
GLSA request filed
Comment 25 Larry the Git Cow gentoo-dev 2022-08-14 21:45:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4615e1d23edb7c238657339624a79b0f373b7ce8

commit 4615e1d23edb7c238657339624a79b0f373b7ce8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 21:44:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 21:45:14 +0000

    [ GLSA 202208-29 ] Nokogiri: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/762685
    Bug: https://bugs.gentoo.org/837902
    Bug: https://bugs.gentoo.org/846623
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-29.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
Comment 26 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 21:45:49 UTC 
GLSA done, all done.