[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ruby-nokogiri / CVE-2019-5477

There was some concern that the required file is autogenerated, however
in this particularly version of this package there is no evidence I can
find that this is actually the case. Patching the file directly appears
to be sufficient to fix the problem.

debdiff patch attached.
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

diff -Nru ruby-nokogiri-1.6.3.1+ds/debian/changelog ruby-nokogiri-1.6.3.1+ds/debian/changelog
--- ruby-nokogiri-1.6.3.1+ds/debian/changelog	2014-07-26 14:12:11.000000000 +1000
+++ ruby-nokogiri-1.6.3.1+ds/debian/changelog	2019-09-24 17:22:04.000000000 +1000
@@ -1,3 +1,12 @@
+ruby-nokogiri (1.6.3.1+ds-1+deb8u1) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2019-5477: Command injection vulnerability in Nokogiri
+    allows commands to be executed in a subprocess by Ruby's
+    `Kernel.open` method.
+
+ -- Brian May <bam@debian.org>  Tue, 24 Sep 2019 17:22:04 +1000
+
 ruby-nokogiri (1.6.3.1+ds-1) unstable; urgency=medium
 
   * Imported Upstream version 1.6.3.1+ds
diff -Nru ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch
--- ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch	1970-01-01 10:00:00.000000000 +1000
+++ ruby-nokogiri-1.6.3.1+ds/debian/patches/CVE-2019-5477.patch	2019-09-23 17:38:38.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/lib/nokogiri/css/tokenizer.rb
++++ b/lib/nokogiri/css/tokenizer.rb
+@@ -33,7 +33,7 @@
+ 
+   def load_file( filename )
+     @filename = filename
+-    open(filename, "r") do |f|
++    File.open(filename, "r") do |f|
+       scan_setup(f.read)
+     end
+   end
diff -Nru ruby-nokogiri-1.6.3.1+ds/debian/patches/series ruby-nokogiri-1.6.3.1+ds/debian/patches/series
--- ruby-nokogiri-1.6.3.1+ds/debian/patches/series	2014-07-26 14:10:35.000000000 +1000
+++ ruby-nokogiri-1.6.3.1+ds/debian/patches/series	2019-09-23 17:37:15.000000000 +1000
@@ -3,3 +3,4 @@
 skip_test_reader_entity_reference_without_dtdload.patch
 deactivate_test_reader_blocking.patch
 always_use_system_libraries.patch
+CVE-2019-5477.patch
Reply to: