nokogiri 1.8.4-x64-mingw32 → 1.8.5-x64-mingw32

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of nokogiri might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d5b294b0e48442642366ecefbf14dce94f8338db8ac4972ff334e26ede1fbe22
4
- data.tar.gz: ed398e2593f8d9d76b3860d328714dbe0c901fd83ac6b4ced4cab09eda22a130
3
+ metadata.gz: 70c121c55c52756db02c9232e5df7cc5b28b6123b95642ccd4d930207bbd92f2
4
+ data.tar.gz: 29fb6bdfecdd8952a2dc09d2a1f21884565eb0281b18ee8ed68b0a380a0c0d15
5
5
  SHA512:
6
- metadata.gz: de0e6fc1280c47130b22bc5494df477e3c8b200f36a047f0a7075b869d90f3778286dabca6c5f463b709985514abc3a0b9ca664f00f6f5372c417803d3148a1f
7
- data.tar.gz: b8011e6ed558080d9e558b922ef340a2799c95c3ab9639b9d22c0d74cf6536f6f1ab05013c82d135ceb355cef284308d784a9b00b98a474ab7dd46d069bf9b64
6
+ metadata.gz: 4b5f362a1e6eb103628cb34f7110f2f19fbaf201fae0b1b8fea5e5f4c56de78ae55b34859ce270c6fbd78c3ef06a0709be18fe9ccfca1bb10fffd70ca2705d76
7
+ data.tar.gz: 01bfad1562798983788ad209f75bb44b23c97813e061d33f3882a438dffe87139e9067d87d72d3135b410ac18b5ae54910ce2ea16b09bb01737da07b1c9d7cd1
data/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ # 1.8.5 / 2018-10-04
2
+
3
+ ## Security Notes
4
+
5
+ [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785](https://github.com/sparklemotion/nokogiri/issues/1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
6
+
7
+
8
+ ## Bug fixes
9
+
10
+ * [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
11
+ * [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
12
+
13
+
1
14
  # 1.8.4 / 2018-07-03
2
15
 
3
16
  ## Bug fixes
data/Manifest.txt CHANGED
@@ -251,6 +251,8 @@ lib/xercesImpl.jar
251
251
  lib/xml-apis.jar
252
252
  lib/xsd/xmlparser/nokogiri.rb
253
253
  patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
254
+ patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch
255
+ patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch
254
256
  patches/sort-patches-by-date
255
257
  suppressions/README.txt
256
258
  suppressions/nokogiri_ruby-2.supp
@@ -434,7 +434,7 @@ end
434
434
 
435
435
  if RbConfig::MAKEFILE_CONFIG['CC'] =~ /gcc/
436
436
  $CFLAGS << " -O3" unless $CFLAGS[/-O\d/]
437
- $CFLAGS << " -Wall -Wcast-qual -Wwrite-strings -Wextra -Wmissing-noreturn -Winline"
437
+ $CFLAGS << " -Wall -Wcast-qual -Wwrite-strings -Wmissing-noreturn -Winline"
438
438
  end
439
439
 
440
440
  case
Binary file
Binary file
Binary file
Binary file
@@ -1,6 +1,6 @@
1
1
  module Nokogiri
2
2
  # The version of Nokogiri you are using
3
- VERSION = '1.8.4'
3
+ VERSION = '1.8.5'
4
4
 
5
5
  class VersionInfo # :nodoc:
6
6
  def jruby?
@@ -0,0 +1,54 @@
1
+ From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
2
+ From: Nick Wellnhofer <wellnhofer@aevum.de>
3
+ Date: Mon, 30 Jul 2018 12:54:38 +0200
4
+ Subject: [PATCH] Fix nullptr deref with XPath logic ops
5
+
6
+ If the XPath stack is corrupted, for example by a misbehaving extension
7
+ function, the "and" and "or" XPath operators could dereference NULL
8
+ pointers. Check that the XPath stack isn't empty and optimize the
9
+ logic operators slightly.
10
+
11
+ Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
12
+
13
+ Also see
14
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
15
+ https://bugzilla.redhat.com/show_bug.cgi?id=1595985
16
+
17
+ This is CVE-2018-14404.
18
+
19
+ Thanks to Guy Inbar for the report.
20
+ ---
21
+ xpath.c | 10 ++++------
22
+ 1 file changed, 4 insertions(+), 6 deletions(-)
23
+
24
+ diff --git a/xpath.c b/xpath.c
25
+ index 3fae0bf..5e3bb9f 100644
26
+ --- a/xpath.c
27
+ +++ b/xpath.c
28
+ @@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
29
+ return(0);
30
+ }
31
+ xmlXPathBooleanFunction(ctxt, 1);
32
+ - arg1 = valuePop(ctxt);
33
+ - arg1->boolval &= arg2->boolval;
34
+ - valuePush(ctxt, arg1);
35
+ + if (ctxt->value != NULL)
36
+ + ctxt->value->boolval &= arg2->boolval;
37
+ xmlXPathReleaseObject(ctxt->context, arg2);
38
+ return (total);
39
+ case XPATH_OP_OR:
40
+ @@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
41
+ return(0);
42
+ }
43
+ xmlXPathBooleanFunction(ctxt, 1);
44
+ - arg1 = valuePop(ctxt);
45
+ - arg1->boolval |= arg2->boolval;
46
+ - valuePush(ctxt, arg1);
47
+ + if (ctxt->value != NULL)
48
+ + ctxt->value->boolval |= arg2->boolval;
49
+ xmlXPathReleaseObject(ctxt->context, arg2);
50
+ return (total);
51
+ case XPATH_OP_EQUAL:
52
+ --
53
+ 2.17.1
54
+
@@ -0,0 +1,50 @@
1
+ From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
2
+ From: Nick Wellnhofer <wellnhofer@aevum.de>
3
+ Date: Mon, 30 Jul 2018 13:14:11 +0200
4
+ Subject: [PATCH] Fix infinite loop in LZMA decompression
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ Check the liblzma error code more thoroughly to avoid infinite loops.
10
+
11
+ Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
12
+ Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
13
+
14
+ This is CVE-2018-9251 and CVE-2018-14567.
15
+
16
+ Thanks to Dongliang Mu and Simon Wörner for the reports.
17
+ ---
18
+ xzlib.c | 9 +++++++++
19
+ 1 file changed, 9 insertions(+)
20
+
21
+ diff --git a/xzlib.c b/xzlib.c
22
+ index a839169..0ba88cf 100644
23
+ --- a/xzlib.c
24
+ +++ b/xzlib.c
25
+ @@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
26
+ "internal error: inflate stream corrupt");
27
+ return -1;
28
+ }
29
+ + /*
30
+ + * FIXME: Remapping a couple of error codes and falling through
31
+ + * to the LZMA error handling looks fragile.
32
+ + */
33
+ if (ret == Z_MEM_ERROR)
34
+ ret = LZMA_MEM_ERROR;
35
+ if (ret == Z_DATA_ERROR)
36
+ @@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
37
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
38
+ return -1;
39
+ }
40
+ + if ((state->how != GZIP) &&
41
+ + (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
42
+ + xz_error(state, ret, "lzma error");
43
+ + return -1;
44
+ + }
45
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
46
+
47
+ /* update available output and crc check value */
48
+ --
49
+ 2.17.1
50
+
@@ -197,6 +197,17 @@ module Nokogiri
197
197
  end
198
198
  end
199
199
 
200
+ describe "given the new document is empty" do
201
+ it "adds the node to the new document" do
202
+ doc1 = Nokogiri::XML.parse("<value>3</value>")
203
+ doc2 = Nokogiri::XML::Document.new
204
+ node = doc1.at_xpath("//value")
205
+ node.remove
206
+ doc2.add_child(node)
207
+ assert_match /<value>3<\/value>/, doc2.to_xml
208
+ end
209
+ end
210
+
200
211
  describe "given a parent node with a default namespace" do
201
212
  before do
202
213
  @doc = Nokogiri::XML(<<-eoxml)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: nokogiri
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.4
4
+ version: 1.8.5
5
5
  platform: x64-mingw32
6
6
  authors:
7
7
  - Aaron Patterson
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2018-07-03 00:00:00.000000000 Z
17
+ date: 2018-10-05 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  name: mini_portile2
@@ -436,6 +436,8 @@ files:
436
436
  - lib/nokogiri/xslt/stylesheet.rb
437
437
  - lib/xsd/xmlparser/nokogiri.rb
438
438
  - patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
439
+ - patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch
440
+ - patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch
439
441
  - patches/sort-patches-by-date
440
442
  - suppressions/README.txt
441
443
  - suppressions/nokogiri_ruby-2.supp