RubyGems - nokogiri - Versions diffs - 1.7.1-x86-mingw32 → 1.7.2-x86-mingw32 - Mend

nokogiri 1.7.1-x86-mingw32 → 1.7.2-x86-mingw32

Potentially problematic release.

This version of nokogiri might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +13 -0
data/Manifest.txt +2 -0
data/lib/nokogiri/2.1/nokogiri.so +0 -0
data/lib/nokogiri/2.2/nokogiri.so +0 -0
data/lib/nokogiri/2.3/nokogiri.so +0 -0
data/lib/nokogiri/version.rb +1 -1
data/patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch +31 -0
data/patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch +74 -0
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f1b1bf63ae05ca828c430a607144bcdc68192d6b
-  data.tar.gz: 5fa3b3f0f1922a4731896c899c4d146534bbd0eb
+  metadata.gz: 194a2931731efc5f98958e828cc92317a74d3e56
+  data.tar.gz: 84f9c75085635e3e3428f3e17ea808381683de2f
 SHA512:
-  metadata.gz: 00627cce239c85a2be1b695866c0e965e5c9b9af523e4c00dc9a55f40e220dd8a8bf88ed309f0c24d75f7bf7e325000733132b5ae5baf09fa0bedb5c5c717854
-  data.tar.gz: 1263df3c60dc9ea2e2398124562892b8bb2c8d491836480208b88d799de18d7e05788c46c3ad8b4c48a4e05003eb8347a4d07ad65fe0473dedbe598e9242e2cc
+  metadata.gz: e41f1054daafd9a7908d5e0e0140e3a5a40ea33ffabf67318794c9bbbc3a4b5e815675d4d9942aeabda1dacb978f066524fae7b06be01ff5db60e8d1bce285c9
+  data.tar.gz: 4ab1b50261eeff6bd339efa9de0b314be7e1d7fdc6df8b437efa1f97f3bedbc927cf27a097057da5be05bbecb0ad2e1778ae3d46c10ba3c0fbb00089e41e8dcc

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,16 @@
+# 1.7.2 / 2017-05-09
+## Security Notes
+[MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
+For more information:
+* https://github.com/sparklemotion/nokogiri/issues/1634
+* http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
+* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
 # 1.7.1 / unreleased
 ## Security Notes

data/Manifest.txt CHANGED Viewed

@@ -249,6 +249,8 @@ lib/xsd/xmlparser/nokogiri.rb
 patches/libxml2/0001-Fix-comparison-with-root-node-in-xmlXPathCmpNodes.patch
 patches/libxml2/0002-Fix-XPointer-paths-beginning-with-range-to.patch
 patches/libxml2/0003-Disallow-namespace-nodes-in-XPointer-ranges.patch
+patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
 patches/sort-patches-by-date
 suppressions/README.txt
 suppressions/nokogiri_ree-1.8.7.358.supp

data/lib/nokogiri/2.1/nokogiri.so CHANGED Viewed

Binary file

data/lib/nokogiri/2.2/nokogiri.so CHANGED Viewed

Binary file

data/lib/nokogiri/2.3/nokogiri.so CHANGED Viewed

Binary file

data/lib/nokogiri/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = '1.7.1'
+  VERSION = '1.7.2'
   class VersionInfo # :nodoc:
     def jruby?

data/patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch ADDED Viewed

@@ -0,0 +1,31 @@
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+     }
+     /* We have finished the integer part, now work on fraction */
+-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
++    if ( (*the_format != 0) &&
++         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
+         format_info.add_decimal = TRUE;
+ 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
+     }
+--
+2.9.3

data/patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch ADDED Viewed

@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+Originally reported to Chromium:
+https://crbug.com/676623
+---
+ libxslt/transform.c     | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133f..02bff34 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+         return(target);
+     if (ctxt->lasttext == target->content) {
++        int minSize;
+-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++        /* Check for integer overflow accounting for NUL terminator. */
++        if (len >= INT_MAX - ctxt->lasttuse) {
++            xsltTransformError(ctxt, NULL, target,
++                "xsltCopyText: text allocation failed\n");
++            return(NULL);
++        }
++        minSize = ctxt->lasttuse + len + 1;
++
++        if (ctxt->lasttsize < minSize) {
+ 	    xmlChar *newbuf;
+ 	    int size;
++            int extra;
++
++            /* Double buffer size but increase by at least 100 bytes. */
++            extra = minSize < 100 ? 100 : minSize;
++
++            /* Check for integer overflow. */
++            if (extra > INT_MAX - ctxt->lasttsize) {
++                size = INT_MAX;
++            }
++            else {
++                size = ctxt->lasttsize + extra;
++            }
+-	    size = ctxt->lasttsize + len + 100;
+-	    size *= 2;
+ 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ 	    if (newbuf == NULL) {
+ 		xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b178..5ad1771 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+      * Speed optimization when coalescing text nodes
+      */
+     const xmlChar  *lasttext;		/* last text node content */
+-    unsigned int    lasttsize;		/* last text node size */
+-    unsigned int    lasttuse;		/* last text node use */
++    int             lasttsize;		/* last text node size */
++    int             lasttuse;		/* last text node use */
+     /*
+      * Per Context Debugging
+      */
+--
+2.9.3

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri
 version: !ruby/object:Gem::Version
-  version: 1.7.1
+  version: 1.7.2
 platform: x86-mingw32
 authors:
 - Aaron Patterson
@@ -12,7 +12,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-03-20 00:00:00.000000000 Z
+date: 2017-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mini_portile2
@@ -413,6 +413,8 @@ files:
 - patches/libxml2/0001-Fix-comparison-with-root-node-in-xmlXPathCmpNodes.patch
 - patches/libxml2/0002-Fix-XPointer-paths-beginning-with-range-to.patch
 - patches/libxml2/0003-Disallow-namespace-nodes-in-XPointer-ranges.patch
+- patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+- patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
 - patches/sort-patches-by-date
 - suppressions/README.txt
 - suppressions/nokogiri_ree-1.8.7.358.supp