Bug 2074340 (CVE-2022-24839)

Summary: CVE-2022-24839 nokogiri: Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, btotty, dmetzger, ehelms, extras-orphan, gmccullo, gtanzill, jaruga, jfrey, jhardy, jsherril, lzap, mhulan, mmccune, mtasaka, myarboro, nmoumoul, obarenbo, orabin, pcreech, pvalena, rchan, roliveri, ruby-maint, simaishi, smallamp, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-nokogiri 1.9.22.noko2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the nokogiri library when processing an ill-formed HTML markup. This flaw allows an attacker to cause uncontrolled resource consumption, which affects performance.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-01 12:33:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2074341, 2074342, 2074777, 2074778, 2074779, 2075226    
Bug Blocks: 2074343    

Description Avinash Hanwate 2022-04-12 04:35:08 UTC
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. 

Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Comment 1 Avinash Hanwate 2022-04-12 04:35:47 UTC
Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2074341]
Affects: fedora-all [bug 2074342]

Comment 4 Jun Aruga 2022-06-01 12:33:29 UTC
I think the rubygem-nokogiri RPM doesn't ship the Java part at least on Fedora package. We can just close this ticket.
https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/rawhide/f/rubygem-nokogiri.spec#_61
https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/rawhide/f/rubygem-nokogiri.spec#_144
> rm -rf .%{gem_instdir}/ext/java