[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2019-5477: ruby-nokogiri issue caused by rexical


while triaging ruby-nokogiri/CVE-2019-5477, I noticed this in [1]:


This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

The file lib/nokogiri/css/tokenizer.rb in nokogiri gets generated via rexical and is shipped in the nokogiri upstream repo.

Debian jessie did not have rexical, so I suppose the generated code was simply shipped in Debian jessie's version of ruby-nokogiri. Interesting, how to patch that...

However, in Debian stretch and beyond, we have rexical, however, I did not spend time on finding out, if ruby-nokogiri in stretch re-generates the lib/nokogiri/css/tokenizer.rb or if the upstream-shipped copy is used.

However, to address CVE-2019-5477 it should also be associated to the rexical src:pkg in stretch and later. @security-team: can you please update data/CVE/list appropriately (instead of me updating it and you correcting my change)? Thanks!


[1] https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc

c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpeL5ABeBfdh.pgp
Description: Digitale PGP-Signatur

Reply to: