Investigate Ubuntu libxml2 patches in USN-3424-1 #1673

flavorjones · 2017-09-19T14:26:24Z

USN-3424-1: libxml2 vulnerabilities

Present in rootfs

https://github.com/cloudfoundry/security-notices/issues/336
Ubuntu Security Notice USN-3424-1

18th September, 2017

libxml2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 17.04
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Summary

Several security issues were fixed in libxml2.

Software description

libxml2 - GNOME XML library
Details

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that
could cause a denial of service or possibly execute arbitrary
code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML
data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-9047)

Marcel Böhme and Van-Thuan Pham discovered a buffer overread
in libxml2 when handling elements. An attacker could use this
to specially construct XML data that could cause a denial of
service. (CVE-2017-9048)

Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libxml2 2.9.4+dfsg1-2.2ubuntu0.1
Ubuntu 16.04 LTS:
libxml2 2.9.3+dfsg1-1ubuntu0.3
Ubuntu 14.04 LTS:
libxml2 2.9.1+dfsg1-3ubuntu4.10
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0663, CVE-2017-7375, CVE-2017-7376, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050

The text was updated successfully, but these errors were encountered:

flavorjones · 2017-09-19T14:27:06Z

It's likely that upgrading to libxml 2.9.5 will pull in these patches, I need to confirm that. If that's the case I expect to be able to turn around an update today.

flavorjones · 2017-09-19T14:36:22Z

Link dump of CVEs and upstream patches referenced for each:

USN:

https://usn.ubuntu.com/usn/usn-3424-1/

CVE-2017-0663 Priority Medium

CVE-2017-7375 Priority Medium

CVE-2017-7376 Priority Medium

CVE-2017-9047 Priority Medium

CVE-2017-9048 Priority Medium

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html
https://git.gnome.org/browse/libxPriority Mediumml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74

CVE-2017-9049 Priority Medium

CVE-2017-9050 Priority Medium

flavorjones · 2017-09-19T14:39:01Z

checking if these patches are all in 2.9.5, looks like they are (note two patches are repeated in two CVEs):

curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 92b9e8c8b3787068565a1820ba575d042f9eec66
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 90ccb58242866b0ba3edbef8fe44214a101c2b3e
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains 932cc9896ab41475d4aa429c27d9afd175959d74
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
curiosity ruby-2.4.1 (master)
libxml2 $ git tag --contains e26630548e7d138d2c560844c43820b6767251e3
v2.9.5
v2.9.5-rc1
v2.9.5-rc2

flavorjones · 2017-09-19T14:39:52Z

OK, mitigation is going to be updating nokogiri to libxml 2.9.5, which is actually master and ready to release.

flavorjones · 2017-09-19T16:18:34Z

v1.8.1 has shipped, updating nokogiri to libxml 2.9.5.

knu · 2017-09-21T00:18:03Z

Thanks for your hard work, as always!

flavorjones · 2017-09-21T00:39:31Z

🙇

jormon · 2017-09-21T17:43:23Z

👏

This fixes a libxml vulnerability, see: sparklemotion/nokogiri#1673

See sparklemotion/nokogiri#1673

Security vulnerabilities identified in libxml2 as used by nokogiri. Affected versions: Prior to 1.8.1 Fixed versions: 1.8.1 Identifier: USN-3424-1 Solution: Upgrade to latest version. Source: sparklemotion/nokogiri#1673

This fixes a security vulnerability with the libxml parser. You can read more about it here: sparklemotion/nokogiri#1673

Security vulnerabilities identified in libxml2 as used by nokogiri. Affected versions: Prior to 1.8.1 Fixed versions: 1.8.1 Identifier: USN-3424-1 Solution: Upgrade to latest version. Source: sparklemotion/nokogiri#1673

More info on vulnerability (fixed in v1.8.1): sparklemotion/nokogiri#1673 This also updates lots of other assorted gems that were a little behind, but doesn't touch some that have had major revisions (e.g. JWT, which I still need to look into and upgrade).

Name: nokogiri Version: 1.7.2 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1

URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities

Name: nokogiri Version: 1.8.0 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1

Based on the work done in the nokogiri project to address multiple CVEs in libxml2 and libxslt. https://usn.ubuntu.com/usn/usn-3424-1/ CVE-2017-0663, CVE-2017-7375, CVE-2017-7376, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050 sparklemotion/nokogiri#1673 sparklemotion/nokogiri#1670 SHA256 generated from downloads. Downloads verified with GPG: gpg --verify libxml2-2.9.5.tar.gz.asc libxml2-2.9.5.tar.gz gpg: Signature made Mon Sep 4 09:00:53 2017 EDT using RSA key ID 596BEA5D gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown] gpg: aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C744 15BA 7C9C 7F78 F02E 1DC3 4606 B8A5 DE95 BC1F Subkey fingerprint: DB46 681B B91A DCEA 170F A2D4 1558 8B26 596B EA5D gpg --verify libxslt-1.1.30.tar.gz.asc libxslt-1.1.30.tar.gz gpg: Signature made Mon Sep 4 09:36:06 2017 EDT using RSA key ID 596BEA5D gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown] gpg: aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C744 15BA 7C9C 7F78 F02E 1DC3 4606 B8A5 DE95 BC1F Subkey fingerprint: DB46 681B B91A DCEA 170F A2D4 1558 8B26 596B EA5D Signed-off-by: Robb Kidd <robb@thekidds.org>

…n/nokogiri#1673) and CVE-2017-5029 (sparklemotion/nokogiri#1634)

…otion/nokogiri#1673) and [CVE-2017-5029](sparklemotion/nokogiri#1634) Added branch on my fork of savon until PR savonrb/savon#848 has been merged

…n/nokogiri#1673) and CVE-2017-5029 (sparklemotion/nokogiri#1634) (#848)

Name: actionview Version: 4.2.6 Advisory: CVE-2016-6316 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk Title: Possible XSS Vulnerability in Action View Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1 Name: activerecord Version: 4.2.6 Advisory: CVE-2016-6317 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s Title: Unsafe Query Generation Risk in Active Record Solution: upgrade to >= 4.2.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-9050 URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2016-4658 URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2015-8806 URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-5029 URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2

The currently installed version has a security advisory: ``` Name: nokogiri Version: 1.8.0 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1 ```

sparklemotion/nokogiri#1673

xml-kit specifies a minimum version that has fixes for nokogiri that ships a version of libxml that does not have a CVE. sparklemotion/nokogiri#1673

This is to address a vulnerability, for further details: sparklemotion/nokogiri#1673

Earlier versions of Nokogiri have security issues as follows: [CVE-2016-4658](sparklemotion/nokogiri#1615) [CVE-2017-5029](sparklemotion/nokogiri#1634) [CVE-2017-9050](sparklemotion/nokogiri#1673) [CVE-2017-16932](sparklemotion/nokogiri#1714) [CVE-2017-15412](sparklemotion/nokogiri#1714)

Name: nokogiri Version: 1.7.2 Advisory: CVE-2017-9050 Criticality: Unknown URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1

flavorjones added libxml2-upstream topic/security labels Sep 19, 2017

flavorjones added this to the 1.8.1 milestone Sep 19, 2017

flavorjones closed this as completed Sep 19, 2017

cantino mentioned this issue Sep 20, 2017

Update to nokogiri 1.8.1 huginn/huginn#2132

Merged

brianvans mentioned this issue Sep 20, 2017

Update nokogiri to 1.8 postrank-labs/postrank-uri#37

Merged

dentarg mentioned this issue Sep 21, 2017

Add recent Nokogiri vulnerabilities rubysec/ruby-advisory-db#303

Closed

amatriain added a commit to amatriain/feedbunch that referenced this issue Sep 21, 2017

Updated nokogiri gen 1.8.0 -> 1.8.1

a382282

This fixes a libxml vulnerability, see: sparklemotion/nokogiri#1673

rspeicher added a commit to gitlabhq/gitlabhq that referenced this issue Sep 21, 2017

Update nokogiri 1.8.0 -> 1.8.1 to resolve security advisory

65befd8

See sparklemotion/nokogiri#1673

dazoakley added a commit to dazoakley/immagine that referenced this issue Sep 22, 2017

Security patch - Update nokogiri (sparklemotion/nokogiri#1673)

3810d2c

dazoakley added a commit to dazoakley/immagine that referenced this issue Sep 22, 2017

Security patch - Update nokogiri (sparklemotion/nokogiri#1673)

bb997ea

dazoakley added a commit to dazoakley/immagine that referenced this issue Sep 22, 2017

Security patch - Update nokogiri (sparklemotion/nokogiri#1673)

0121a44

dazoakley mentioned this issue Sep 22, 2017

Security patch - Update nokogiri springernature/immagine#87

Merged

klappradla mentioned this issue Sep 22, 2017

Update nokogiri where2help/where2help#288

Merged

edwardloveall added a commit to edwardloveall/absalom-reckoning that referenced this issue Sep 22, 2017

Update nokogiri

3ce3fe5

This fixes a security vulnerability with the libxml parser. You can read more about it here: sparklemotion/nokogiri#1673

Mr0grog mentioned this issue Sep 22, 2017

Update gems; fixe Nokogiri vulnerability edgi-govdata-archiving/web-monitoring-db#141

Merged

AdrianCann mentioned this issue Oct 1, 2017

Update nokogiri based on ruby advisory sophomoric/maddie#57

Merged

alexcopquin mentioned this issue Oct 3, 2017

update nokogiri to 1.8.1 dandemeyere/responsys-api#47

Merged

brikelly mentioned this issue Oct 4, 2017

Conjur is upgraded to use nokogiri 1.8.1 or newer cyberark/conjur#410

Closed

izgeri mentioned this issue Oct 12, 2017

Packages dependent on nokogiri updated cyberark/conjur#427

Closed

timurvafin added a commit to fs/rewards-bamboohr that referenced this issue Oct 17, 2017

Update nokogiri to 1.8.1 to close CVE-2017-905

57c9092

URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities

timurvafin mentioned this issue Oct 17, 2017

Update nokogiri to 1.8.1 to close CVE-2017-905 fs/rewards-bamboohr#5

Merged

timurvafin added a commit to fs/rewards-bamboohr that referenced this issue Oct 17, 2017

Update nokogiri to 1.8.1 to close CVE-2017-905 (#5)

47548d3

URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities

michael-harrison pushed a commit to michael-harrison/savon that referenced this issue Dec 6, 2017

Updated nokogiri to mitigate vulnerabilities USN-3424-1 (sparklemotio…

5f6f9d8

…n/nokogiri#1673) and CVE-2017-5029 (sparklemotion/nokogiri#1634)

This was referenced Dec 6, 2017

hotfix/nokogiri_vulnerbility_USN-3424-1 savonrb/savon#848

Merged

hotfix/nokogiri_vulnerbility_USN-3424-1 michael-harrison/savon#2

Merged

pcai pushed a commit to savonrb/savon that referenced this issue Dec 7, 2017

Updated nokogiri to mitigate vulnerabilities USN-3424-1 (sparklemotio…

85104ae

…n/nokogiri#1673) and CVE-2017-5029 (sparklemotion/nokogiri#1634) (#848)

havenwood mentioned this issue Dec 7, 2017

Bump Rails, Nokogiri, and related gem versions to address CVEs square/connect-api-examples#46

Merged

fedegratti mentioned this issue Dec 9, 2017

Update gitgub_api dependency to prevent security problems basecamp/trix#467

Closed

Mifrill mentioned this issue Jan 5, 2018

update nokogiri and rubyzip versions ruby-docx/docx#48

Closed

xlgmokha pushed a commit to xlgmokha/xml-kit that referenced this issue Jan 7, 2018

update nokogiri version to fix CVE-2017-9050

9f11104

sparklemotion/nokogiri#1673

xlgmokha added a commit to xlgmokha/saml-kit that referenced this issue Jan 10, 2018

remove explicit nokogiri dependency.

9ff3b0f

xml-kit specifies a minimum version that has fixes for nokogiri that ships a version of libxml that does not have a CVE. sparklemotion/nokogiri#1673

matthewhughes112 added a commit to Accelo/docs that referenced this issue Apr 11, 2018

Update dependency nokogiri from 1.6.8.1 to 1.8.2

c1094df

This is to address a vulnerability, for further details: sparklemotion/nokogiri#1673

matthewhughes112 mentioned this issue Apr 11, 2018

Update dependency nokogiri from 1.6.8.1 to 1.8.2 Accelo/docs#21

Merged

flavorjones added the vendored/libxml2 label Jan 5, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate Ubuntu libxml2 patches in USN-3424-1 #1673

Investigate Ubuntu libxml2 patches in USN-3424-1 #1673

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

knu commented Sep 21, 2017

flavorjones commented Sep 21, 2017

jormon commented Sep 21, 2017

Investigate Ubuntu libxml2 patches in USN-3424-1 #1673

Investigate Ubuntu libxml2 patches in USN-3424-1 #1673

Comments

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

flavorjones commented Sep 19, 2017

knu commented Sep 21, 2017

flavorjones commented Sep 21, 2017

jormon commented Sep 21, 2017