[DRE-maint] Bug#940905: rexical: CVE-2019-5477
carnil at debian.org
Sat Sep 21 17:21:12 BST 2019
Tags: security upstream
Justification: user security hole
The following vulnerability was published for rexical.
| A command injection vulnerability in Nokogiri v1.10.3 and earlier
| allows commands to be executed in a subprocess via Ruby's
| `Kernel.open` method. Processes are vulnerable only if the
| undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being
| called with unsafe user input as the filename. This vulnerability
| appears in code generated by the Rexical gem versions v1.0.6 and
| earlier. Rexical is used by Nokogiri to generate lexical scanner code
| for parsing CSS queries. The underlying vulnerability was addressed in
| Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
| Nokogiri v1.10.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
More information about the Pkg-ruby-extras-maintainers