[DRE-maint] Bug#940905: rexical: CVE-2019-5477

Salvatore Bonaccorso carnil at debian.org
Sat Sep 21 17:21:12 BST 2019

Source: rexical
Version: 1.0.5-2
Severity: grave
Tags: security upstream
Justification: user security hole


The following vulnerability was published for rexical.

| A command injection vulnerability in Nokogiri v1.10.3 and earlier
| allows commands to be executed in a subprocess via Ruby's
| `Kernel.open` method. Processes are vulnerable only if the
| undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being
| called with unsafe user input as the filename. This vulnerability
| appears in code generated by the Rexical gem versions v1.0.6 and
| earlier. Rexical is used by Nokogiri to generate lexical scanner code
| for parsing CSS queries. The underlying vulnerability was addressed in
| Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
| Nokogiri v1.10.4.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5477


More information about the Pkg-ruby-extras-maintainers mailing list