Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 762685 (CVE-2020-26247)

Summary: <dev-ruby/nokogiri-1.11.0: XXE vulnerability (CVE-2020-26247)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-30 22:00:21 UTC
CVE-2020-26247:

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.


Needs a bump but fixed version is only an rc version so waiting may be a good
idea too.
Comment 1 Hans de Graaff gentoo-dev Security 2020-12-31 06:42:07 UTC
(In reply to John Helmert III (ajak) from comment #0)

> Needs a bump but fixed version is only an rc version so waiting may be a good
> idea too.

Yes, we'll wait for an official release.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-05 06:28:59 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec

commit c0e4849bb6896cedf44d5bcae8cd1a07c7cf21ec
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-01-05 06:28:47 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-01-05 06:28:47 +0000

    dev-ruby/nokogiri: add 1.11.0
    
    Closes: https://bugs.gentoo.org/705334
    Closes: https://bugs.gentoo.org/762685
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/nokogiri/Manifest               |  1 +
 dev-ruby/nokogiri/nokogiri-1.11.0.ebuild | 98 ++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-05 06:48:26 UTC
Need to keep open for stabling etc. Thanks for the bump! Let us know when it’s ready.
Comment 4 NATTkA bot gentoo-dev 2021-01-10 08:36:53 UTC Comment hidden (obsolete)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 01:52:42 UTC
What do we think?
Comment 6 Hans de Graaff gentoo-dev Security 2021-02-07 10:54:51 UTC
Please test and mark stable.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 17:25:28 UTC
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 17:26:59 UTC
x86 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 06:15:54 UTC
s390 done
Comment 10 Rolf Eike Beer archtester 2021-02-09 14:16:31 UTC
sparc stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 08:00:41 UTC
ppc64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-13 17:57:50 UTC
arm64 done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 20:36:40 UTC
arm done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 08:27:03 UTC
ppc done

all arches done
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-19 01:18:10 UTC
Please cleanup
Comment 16 Hans de Graaff gentoo-dev Security 2021-02-21 10:45:40 UTC
cleanup done.
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-21 15:45:00 UTC
(In reply to Hans de Graaff from comment #16)
> cleanup done.

Thanks!
Comment 18 NATTkA bot gentoo-dev 2021-07-29 17:24:47 UTC Comment hidden (obsolete)
Comment 19 NATTkA bot gentoo-dev 2021-07-29 17:33:18 UTC Comment hidden (obsolete)
Comment 20 NATTkA bot gentoo-dev 2021-07-29 17:41:09 UTC Comment hidden (obsolete)
Comment 21 NATTkA bot gentoo-dev 2021-07-29 17:49:19 UTC Comment hidden (obsolete)
Comment 22 NATTkA bot gentoo-dev 2021-07-29 18:05:14 UTC Comment hidden (obsolete)
Comment 23 NATTkA bot gentoo-dev 2021-07-29 18:13:33 UTC
Package list is empty or all packages have requested keywords.
Comment 24 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:54:51 UTC
GLSA request filed
Comment 25 Larry the Git Cow gentoo-dev 2022-08-14 21:45:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4615e1d23edb7c238657339624a79b0f373b7ce8

commit 4615e1d23edb7c238657339624a79b0f373b7ce8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 21:44:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 21:45:14 +0000

    [ GLSA 202208-29 ] Nokogiri: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/762685
    Bug: https://bugs.gentoo.org/837902
    Bug: https://bugs.gentoo.org/846623
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-29.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
Comment 26 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 21:45:49 UTC
GLSA done, all done.
Comment 27 coalition strengthen 2023-10-30 07:08:25 UTC Comment hidden (spam)