[DRE-maint] CVE-2019-5477: ruby-nokogiri issue caused by rexical

[Mike Gabriel]

Hi,

while triaging ruby-nokogiri/CVE-2019-5477, I noticed this in [1]:

```
[...]

This vulnerability appears in code generated by the Rexical gem  
versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate  
lexical scanner code for parsing CSS queries. The underlying  
vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to  
this version of Rexical in Nokogiri v1.10.4.
```

The file  lib/nokogiri/css/tokenizer.rb in nokogiri gets generated via  
rexical and is shipped in the nokogiri upstream repo.

Debian jessie did not have rexical, so I suppose the generated code  
was simply shipped in Debian jessie's version of ruby-nokogiri.  
Interesting, how to patch that...

However, in Debian stretch and beyond, we have rexical, however, I did  
not spend time on finding out, if ruby-nokogiri in stretch  
re-generates the lib/nokogiri/css/tokenizer.rb or if the  
upstream-shipped copy is used.

However, to address CVE-2019-5477 it should also be associated to the  
rexical src:pkg in stretch and later. @security-team: can you please  
update data/CVE/list appropriately (instead of me updating it and you  
correcting my change)? Thanks!

Greets,
Mike

[1]  
https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc
-- 

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20190830/430da591/attachment-0001.sig>