Bug 911804 - (CVE-2012-6685) VUL-0: CVE-2012-6685: rubygem-nokogiri: XML eXternal Entity (XXE) flaw
(CVE-2012-6685)
VUL-0: CVE-2012-6685: rubygem-nokogiri: XML eXternal Entity (XXE) flaw
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/112024/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-06 10:00 UTC by Victor Pereira
Modified: 2015-01-16 09:43 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-06 10:00:18 UTC
CVE-2012-6685

An XML eXternal Entity (XXE) flaw was found in Nokogiri, a Ruby gem for parsing HTML, XML, and SAX. Using external XML entities, a remote attacker could specify a URL in a specially crafted XML that, when parsed, would cause a connection to that URL to be opened.

A patch shipped with the 1.5.4 release of Nokogiri provided a "nonet" option to disable external connections. However, local file URLs could still be used to exploit this flaw. The 1.6.4 release of Nokogiri fixed this issue by using libxml2 2.9.0.

References:
https://github.com/sparklemotion/nokogiri/issues/693#issuecomment-68334768
https://bugzilla.redhat.com/show_bug.cgi?id=1178970
http://seclists.org/oss-sec/2015/q1/57
Comment 1 Swamp Workflow Management 2015-01-06 23:00:23 UTC
bugbot adjusting priority
Comment 2 Marcus Rückert 2015-01-12 10:01:00 UTC
this smells like "we only fixed the intree copy of libxml2" as such we would need to check our libxml2 packages if they are affected as our normal nokogiri build should not be using the intree libxml2.
Comment 3 Victor Pereira 2015-01-14 14:32:01 UTC
SLE-12 you are right, but I think the old versions, are using the bundled one. Please check the codestream SLE-11-SP2:GA.
Comment 4 Marcus Rückert 2015-01-14 17:59:36 UTC
sle11 version does not have an intree copy.
Comment 5 Marcus Rückert 2015-01-14 18:03:06 UTC
checked all others too. all the 1.6.x nokogiri versions build with the system libraries export. and 1.4 is not affected.
Comment 6 Victor Pereira 2015-01-16 09:43:20 UTC
ok thank you.