Investigate Ubuntu libxml2 patches in USN-3504-1, USN-3504-2, USN-3513-1, USN-3513-2

[flavorjones]

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

---

Summary of findings

Upgrading Nokogiri to distribute libxml v2.9.6 or later is necessary to address one of the upstream libxml2 vulnerabilities, which is categorized "Priority: Medium" by Canonical.

[flavorjones]

USNs

USN-3504-1 and -2

The canonical Canonical links:

• https://usn.ubuntu.com/usn/usn-3504-1/
• https://usn.ubuntu.com/usn/usn-3504-2/

Both of these USNs address CVE-2017-16932:

• https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html

USN-3513-1 and -2

The canonical Canonical links:

• https://usn.ubuntu.com/usn/usn-3513-1/
• https://usn.ubuntu.com/usn/usn-3513-2/

Both of these USNs address CVE-2017-15412:

• https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15412.html

CVEs

CVE-2017-15412

Description: "use after-free in xmlXPathCompOpEvalPositionPredicate"

Canonical rates this CVE as "Priority: Medium"

According to the CVE report, the patch that addresses this CVE is:

• https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73

Looking at libxml2 source ...

$ git tag --contains 0f3b843b3534784
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8-rc1

... we see this was fixed in libxml v2.9.6.

CVE-2017-16932

Description: "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."

Canonical rates this CVE as "Priority: Medium"

According to to CVE report, the patch that addresses this CVE is:

• GNOME/libxml2@899a5d9

Looking at libxml2 source ...

$ git tag --contains 899a5d9f0ed13b8e32449a08a361e0de127dd961
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8-rc1

... we see this was fixed in libxml v2.9.5

[flavorjones]

Conclusions

CVE-2017-15412

CVE-2017-15412 was addressed in libxml v2.9.6, which Nokogiri's latest release (v1.8.1) has not yet vendored. Upgrading Nokogiri to distribute libxml v2.9.6 or later is necessary to address this vulnerability.

Note that libxml v2.9.7 has been on Nokogiri master since commit 1756096 timestamped 2017-11-13, so this change is ready to go in the next release.

CVE-2017-16932

CVE-2017-16932 was addressed in libxml 2.9.5, and so Nokogiri v1.8.1 (released 2017-09-19) has already addressed this vulnerability. No action necessary.

[flavorjones]

Shipping 1.8.2 with libxml 2.9.7 will address this.