Bug 2074346 (CVE-2022-24836)

Summary: CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, btotty, caswilli, dhalasz, dmetzger, ehelms, extras-orphan, gmccullo, gtanzill, jfrey, jhardy, jsherril, jwong, kaycoth, kshier, lzap, mhulan, mtasaka, myarboro, nmoumoul, obarenbo, orabin, pcreech, pvalena, rchan, roliveri, ruby-maint, simaishi, smallamp, sthirugn, vanmeeuwen+fedora, vkrizan, vmugicag, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nokogiri 1.13.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the nokogiri library when processing an inefficient and complex regular expression. This flaw allows an attacker to cause excessive consumption of resources, which affects performance.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 09:02:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2074347, 2074348, 2074362, 2074774, 2074775, 2074776    
Bug Blocks: 2074349    

Description Avinash Hanwate 2022-04-12 04:47:18 UTC 
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
Comment 1 Avinash Hanwate 2022-04-12 04:47:50 UTC 
Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2074347]
Affects: fedora-all [bug 2074348]
Comment 7 errata-xmlrpc 2022-11-16 13:32:11 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506
Comment 8 Product Security DevOps Team 2022-12-07 09:02:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24836