Bug 1178970 (CVE-2012-6685) - CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity (XXE) flaw
Summary: CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity (XXE) flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-6685
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1178971 1178972
Blocks: 1178979
TreeView+ depends on / blocked
 
Reported: 2015-01-05 19:38 UTC by Martin Prpič
Modified: 2021-10-20 10:49 UTC (History)
40 users (show)

Fixed In Version: nokogiri 1.6.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-20 10:49:11 UTC


Attachments (Terms of Use)

Description Martin Prpič 2015-01-05 19:38:27 UTC
An XML eXternal Entity (XXE) flaw was found in Nokogiri, a Ruby gem for parsing HTML, XML, and SAX. Using external XML entities, a remote attacker could specify a URL in a specially crafted XML that, when parsed, would cause a connection to that URL to be opened.

A patch shipped with the 1.5.4 release of Nokogiri provided a "nonet" option to disable external connections. However, local file URLs could still be used to exploit this flaw. The 1.6.4 release of Nokogiri fixed this issue by using libxml2 2.9.0.

Additional information is detailed at:

https://github.com/sparklemotion/nokogiri/issues/693#issuecomment-68334768

CVE request and assignment:

http://seclists.org/oss-sec/2015/q1/57

Comment 1 Martin Prpič 2015-01-05 19:40:43 UTC
Created rubygem-nokogiri tracking bugs for this issue:

Affects: fedora-19 [bug 1178971]
Affects: epel-all [bug 1178972]

Comment 2 Mamoru TASAKA 2015-01-06 02:15:05 UTC
Fedora (and perhaps EPEL) uses external libxml2, not bundled libxml2, so this should not affect Fedora (and perhaps EPEL) rubygem-nokogiri. Would you confirm?

Comment 3 Mamoru TASAKA 2015-01-06 02:17:19 UTC
By the way Fedora 19 gets EOL today.
https://lists.fedoraproject.org/pipermail/announce/2014-December/003243.html

Comment 4 Martin Prpič 2015-01-06 08:49:34 UTC
(In reply to Mamoru TASAKA from comment #2)
> Fedora (and perhaps EPEL) uses external libxml2, not bundled libxml2, so
> this should not affect Fedora (and perhaps EPEL) rubygem-nokogiri. Would you
> confirm?

Hello, I had a look at the EPEL-7 package and it does bundle libxml2, specifically version 2.8.0. This version is also listed in the dependencies.yml file. Also, from the GitHub comment pasted in comment #0:

"""
People using a system-provided libxml2 library that is < 2.9.0 will still be vulnerable no matter what version of Nokogiri they are using. People using a system-provided libxml2 library is that >= 2.9.2 will be patched no matter what version of Nokogiri they are using.
"""

That means that even if Nokogiri uses the system-provided library and not the bundled one, it would use the 2.6.26 on EL5 and 2.7.6 on EL6, both of which are vulnerable. EL7 uses libxml 2.9.1, which means Nokogiri should be updated to 1.6.4 at least (unless libxml is updated to 2.9.2).

And yes, the Fedora tracker can be closed as of today :)

Comment 5 Ján Rusnačko 2015-02-10 16:07:16 UTC
How to reproduce:

> require 'nokogiri'
> d=Nokogiri::XML.parse("<!DOCTYPE root [ <!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n<root><e>&ent;</e></root>")
> d.children.children.children.text

Should not return contents of /etc/passwd, but empty string.


Analysis:

For this to be exploitable both Nokogiri and libxml2 that it uses must be vulnerable. Up until 1.6.0 Nokogiri used system libxml2, from that version upwards upstream bundles libxml2 together with Nokogiri, but gives an option to use system libxml2 anyway. Last but not least, the entity expansion has been issue in the libxml2 itself, and patches for those issues prevent this Nokogiri issue too. For details read on.

There are two flaws in Nokogiri and underlying libxml2:
* general XXE attack
* parameter expansion attack

The parameter expansion attack is fixed by Nokogiri by introducing NONET patch in 1.5.4 disallowing network connections, and libxml 2.9.2. Additionally, patch for CVE-2014-0191 (see bug 1090976) also prevents parameter expansion attack.

The general XXE attack is fixed in:
* Nokogiri 1.5.4 by NONET patch, but still allows inclusion of local files
* libxml2 2.9.0 contains bugfix: Do not fetch external parsed entities
* libxml2 2.9.2 contains security fix: CVE-2014-0191 Do not fetch external parameter entities
* the fixes for two issues above were backported to RHEL-6 in libxml2-2.7.6-9.el6 and libxml2-2.7.6-15.el6

Comment 7 Vasyl Kaigorodov 2015-03-16 12:25:09 UTC
Statement:

This issue affects the versions of ruby193-rubygem-nokogiri as shipped with Red Hat Satellite 6 and Red Hat OpenStack 6. Red Hat Product Security has rated this issue as having moderate security impact. A future update may address this issue.

Red Hat Product Security has rated this issue as having no security impact for rubygem-nokogiri as shipped with: Red Hat Enterprise MRG 2.5, Red Hat Subscription Asset Manager 1.3, Red Hat CloudForms Management Engine 5.3.0, Red Hat OpenShift Enterprise 2.2.0; for ruby193-rubygem-nokogiri as shipped with Red Hat Satellite 6, Red Hat Subscription Asset Manager 1.3, Red Hat CloudForms Management Engine 5.3.0, Red Hat OpenStack 4.0, Red Hat OpenStack Foreman, Red Hat OpenStack 6, Red Hat OpenShift Enterprise 2.2.0; and for mingw-rubygem-nokogiri as shipped with Red Hat CloudForms Management Engine 5.3.0. This issue is not currently planned to be addressed in future updates.

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.