[DRE-maint] Bug#940905: rexical: CVE-2019-5477
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 21 17:21:12 BST 2019
Source: rexical
Version: 1.0.5-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for rexical.
CVE-2019-5477[0]:
| A command injection vulnerability in Nokogiri v1.10.3 and earlier
| allows commands to be executed in a subprocess via Ruby's
| `Kernel.open` method. Processes are vulnerable only if the
| undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being
| called with unsafe user input as the filename. This vulnerability
| appears in code generated by the Rexical gem versions v1.0.6 and
| earlier. Rexical is used by Nokogiri to generate lexical scanner code
| for parsing CSS queries. The underlying vulnerability was addressed in
| Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
| Nokogiri v1.10.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list