ruby-nokogiri / CVE-2019-5477
There was some concern that the required file is autogenerated, however
in this particularly version of this package there is no evidence I can
find that this is actually the case. Patching the file directly appears
to be sufficient to fix the problem.
debdiff patch attached.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru ruby-nokogiri-1.6.3.1+ds/debian/changelog ruby-nokogiri-1.6.3.1+ds/debian/changelog
--- ruby-nokogiri-1.6.3.1+ds/debian/changelog 2014-07-26 14:12:11.000000000 +1000
+++ ruby-nokogiri-1.6.3.1+ds/debian/changelog 2019-09-24 17:22:04.000000000 +1000
@@ -1,3 +1,12 @@
+ruby-nokogiri (1.6.3.1+ds-1+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2019-5477: Command injection vulnerability in Nokogiri
+ allows commands to be executed in a subprocess by Ruby's
+ `Kernel.open` method.
+
+ -- Brian May <bam@debian.org> Tue, 24 Sep 2019 17:22:04 +1000
+
ruby-nokogiri (1.6.3.1+ds-1) unstable; urgency=medium
* Imported Upstream version 1.6.3.1+ds
diff -Nru ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch
--- ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch 1970-01-01 10:00:00.000000000 +1000
+++ ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch 2019-09-23 17:38:38.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/lib/nokogiri/css/tokenizer.rb
++++ b/lib/nokogiri/css/tokenizer.rb
+@@ -33,7 +33,7 @@
+
+ def load_file( filename )
+ @filename = filename
+- open(filename, "r") do |f|
++ File.open(filename, "r") do |f|
+ scan_setup(f.read)
+ end
+ end
diff -Nru ruby-nokogiri-1.6.3.1+ds/debian/patches/series ruby-nokogiri-1.6.3.1+ds/debian/patches/series
--- ruby-nokogiri-1.6.3.1+ds/debian/patches/series 2014-07-26 14:10:35.000000000 +1000
+++ ruby-nokogiri-1.6.3.1+ds/debian/patches/series 2019-09-23 17:37:15.000000000 +1000
@@ -3,3 +3,4 @@
skip_test_reader_entity_reference_without_dtdload.patch
deactivate_test_reader_blocking.patch
always_use_system_libraries.patch
+CVE-2019-5477.patch
Reply to: