search

yegor256 / blog

My blog about computers, written in Jekyll and deployed to GitHub Pages
https://www.yegor256.com
Other
115 stars 62 forks source link

Update dependency nokogiri to v1.14.3 [SECURITY] - autoclosed #589

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Update Change
nokogiri (source, changelog) minor '1.13.10' -> '1.14.3'

GitHub Vulnerability Alerts

GHSA-pxvg-2qj5-37jq

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

Release Notes

sparklemotion/nokogiri ### [`v1.14.3`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#​1143--2023-04-11) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.2...v1.14.3) ##### Security - \[CRuby] Vendored libxml2 is updated to address CVE-2023-29469, CVE-2023-28484, and one other security-related issue. See [GHSA-pxvg-2qj5-37jqGHSA-pxvg-2qj5-37jq](https://togithub.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq) for more information. ##### Dependencies - \[CRuby] Vendored libxml2 is updated to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3. ### [`v1.14.2`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#​1142--2023-02-13) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.1...v1.14.2) ##### Fixed - Calling `NodeSet#to_html` on an empty node set no longer raises an encoding-related exception. This bug was introduced in v1.14.0 while fixing [#​2649](https://togithub.com/sparklemotion/nokogiri/issues/2649). \[[#​2784](https://togithub.com/sparklemotion/nokogiri/issues/2784)] ### [`v1.14.1`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#​1141--2023-01-30) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.0...v1.14.1) ##### Fixed - Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's `Zip::OutputStream`). This was a regression in v1.14.0 due to the fix for [#​752](https://togithub.com/sparklemotion/nokogiri/issues/752) in [#​2434](https://togithub.com/sparklemotion/nokogiri/issues/2434), and was not completely fixed by [#​2753](https://togithub.com/sparklemotion/nokogiri/issues/2753). \[[#​2773](https://togithub.com/sparklemotion/nokogiri/issues/2773)] - \[CRuby] Address compiler warnings about `void*` casting and old-style C function definitions. ### [`v1.14.0`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#​1140--2023-01-12) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.13.10...v1.14.0) ##### Notable Changes ##### Ruby This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.) This release ends support for: - Ruby 2.6, for which [upstream support ended 2022-04-12](https://www.ruby-lang.org/en/downloads/branches/). - JRuby 9.3, which is not fully compatible with Ruby 2.7+ ##### Faster, more reliable installation: Native Gem for `aarch64-linux` (aka `linux/arm64/v8`) This version of Nokogiri ships *official* native gem support for the `aarch64-linux` platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information. ##### Faster, more reliable installation: Native Gem for `arm-linux` (aka `linux/arm/v7`) This version of Nokogiri ships *experimental* native gem support for the `arm-linux` platform. Please note that glibc >= 2.29 is required for arm-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information. ##### Pattern matching This version introduces an *experimental* pattern matching API for `XML::Attr`, `XML::Document`, `XML::DocumentFragment`, `XML::Namespace`, `XML::Node`, and `XML::NodeSet` (and their subclasses). Some documentation on what can be matched: - [`XML::Attr#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Attr.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::Document#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Document.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::Namespace#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Namespace.html?h=deconstruct+namespace#method-i-deconstruct_keys) - [`XML::Node#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::DocumentFragment#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct) - [`XML::NodeSet#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/NodeSet.html?h=deconstruct#method-i-deconstruct) We welcome feedback on this API at [#​2360](https://togithub.com/sparklemotion/nokogiri/issues/2360). ##### Dependencies ##### CRuby - Vendored libiconv is updated to [v1.17](https://savannah.gnu.org/forum/forum.php?forum_id=10175) ##### JRuby - This version of Nokogiri uses [`jar-dependencies`](https://togithub.com/mkristian/jar-dependencies) to manage most of the vendored Java dependencies. `nokogiri -v` now outputs maven metadata for all Java dependencies, and `Nokogiri::VERSION_INFO` also contains this metadata. \[[#​2432](https://togithub.com/sparklemotion/nokogiri/issues/2432)] - HTML parsing is now provided by `net.sourceforge.htmlunit:neko-htmlunit:2.61.0` (previously Nokogiri used a fork of `org.cyberneko.html:nekohtml`) - Vendored Jing is updated from `com.thaiopensource:jing:20091111` to `nu.validator:jing:20200702VNU`. - New dependency on `net.sf.saxon:Saxon-HE:9.6.0-4` (via `nu.validator:jing:20200702VNU`). ##### Added - `Node#wrap` and `NodeSet#wrap` now also accept a `Node` type argument, which will be `dup`ed for each wrapper. For cases where many nodes are being wrapped, creating a `Node` once using `Document#create_element` and passing that `Node` multiple times is significantly faster than re-parsing markup on each call. \[[#​2657](https://togithub.com/sparklemotion/nokogiri/issues/2657)] - \[CRuby] Invocation of custom XPath or CSS handler functions may now use the `nokogiri` namespace prefix. Historically, the JRuby implementation *required* this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the `nokogiri` namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. \[[#​2147](https://togithub.com/sparklemotion/nokogiri/issues/2147)] - `HTML5::Document#quirks_mode` and `HTML5::DocumentFragment#quirks_mode` expose the quirks mode used by the parser. ##### Improved ##### Functional - HTML5 parser update to reflect changes to the living specification: - [Add the \ element by domenic · whatwg/html](https://togithub.com/whatwg/html/pull/7320) - [Remove parse error for \ by zcorpan · whatwg/html](https://togithub.com/whatwg/html/pull/8271) ##### Performance - Serialization of HTML5 documents and fragments has been re-implemented and is ~10x faster than previous versions. \[[#​2596](https://togithub.com/sparklemotion/nokogiri/issues/2596), [#​2569](https://togithub.com/sparklemotion/nokogiri/issues/2569)] - Parsing of HTML5 documents is ~90% faster thanks to additional compiler optimizations being applied. \[[#​2639](https://togithub.com/sparklemotion/nokogiri/issues/2639)] - Compare `Encoding` objects rather than compare their names. This is a slight performance improvement and is future-proof. \[[#​2454](https://togithub.com/sparklemotion/nokogiri/issues/2454)] (Thanks, [@​casperisfine](https://togithub.com/casperisfine)!) ##### Error handling - `Document#canonicalize` now raises an exception if `inclusive_namespaces` is non-nil and the mode is inclusive, i.e. `XML_C14N_1_0` or `XML_C14N_1_1`. `inclusive_namespaces` can only be passed with exclusive modes, and previously this silently failed. - Empty CSS selectors now raise a clearer `Nokogiri::CSS::SyntaxError` message, "empty CSS selector". Previously the exception raised from the bowels of `racc` was "unexpected '$' after ''". \[[#​2700](https://togithub.com/sparklemotion/nokogiri/issues/2700)] - \[CRuby] `XML::Reader` parsing errors encountered during `Reader#attribute_hash` and `Reader#namespaces` now raise an `XML::SyntaxError`. Previously these methods would return `nil` and users would generally experience `NoMethodErrors` from elsewhere in the code. - Prefer `ruby_xmalloc` to `malloc` within the C extension. \[[#​2480](https://togithub.com/sparklemotion/nokogiri/issues/2480)] (Thanks, [@​Garfield96](https://togithub.com/Garfield96)!) ##### Installation - Avoid compile-time conflict with system-installed `gumbo.h` on OpenBSD. \[[#​2464](https://togithub.com/sparklemotion/nokogiri/issues/2464)] - Remove calls to `vasprintf` in favor of platform-independent `rb_vsprintf` - Installation from source on systems missing libiconv will once again generate a helpful error message (broken since v1.11.0). \[[#​2505](https://togithub.com/sparklemotion/nokogiri/issues/2505)] - \[CRuby+OSX] Compiling from source on MacOS will use the clang option `-Wno-unknown-warning-option` to avoid errors when Ruby injects options that clang doesn't know about. \[[#​2689](https://togithub.com/sparklemotion/nokogiri/issues/2689)] ##### Fixed - `SAX::Parser`'s `encoding` attribute will not be clobbered when an alternative encoding is passed into `SAX::Parser#parse_io`. \[[#​1942](https://togithub.com/sparklemotion/nokogiri/issues/1942)] (Thanks, [@​kp666](https://togithub.com/kp666)!) - Serialized `HTML4::DocumentFragment` will now be properly encoded. Previously this empty string was encoded as `US-ASCII`. \[[#​2649](https://togithub.com/sparklemotion/nokogiri/issues/2649)] - `Node#wrap` now uses the parent as the context node for parsing wrapper markup, falling back to the document for unparented nodes. Previously the document was always used. - \[CRuby] UTF-16-encoded documents longer than ~4000 code points now serialize properly. Previously the serialized document was corrupted when it exceeded the length of libxml2's internal string buffer. \[[#​752](https://togithub.com/sparklemotion/nokogiri/issues/752)] - \[CRuby] The HTML5 parser now correctly handles text at the end of `form` elements. - \[CRuby] `HTML5::Document#fragment` now always uses `body` as the parsing context. Previously, fragments were parsed in the context of the associated document's root node, which allowed for inconsistent parsing. \[[#​2553](https://togithub.com/sparklemotion/nokogiri/issues/2553)] - \[CRuby] `Nokogiri::HTML5::Document#url` now correctly returns the URL passed to the constructor method. Previously it always returned `nil`. \[[#​2583](https://togithub.com/sparklemotion/nokogiri/issues/2583)] - \[CRuby] `HTML5` encoding detection is now case-insensitive with respect to `meta` tag charset declaration. \[[#​2693](https://togithub.com/sparklemotion/nokogiri/issues/2693)] - \[CRuby] `HTML5` fragment parsing in context of an annotation-xml node now works. Previously this rarely-used path invoked rb_funcall with incorrect parameters, resulting in an exception, a fatal error, or potentially a segfault. \[[#​2692](https://togithub.com/sparklemotion/nokogiri/issues/2692)] - \[CRuby] `HTML5` quirks mode during fragment parsing more closely matches document parsing. \[[#​2646](https://togithub.com/sparklemotion/nokogiri/issues/2646)] - \[JRuby] Fixed a bug with adding the same namespace to multiple nodes via `#add_namespace_definition`. \https:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

yegor256 commented 1 year ago

@rultor please, try to merge

rultor commented 1 year ago

@rultor please, try to merge

@renovate[bot] @yegor256 Can't merge it. Some CI checks were failed. Apparently, the pull request is not ready to be merged since it has some problems. Please, fix them first.