Hi, while triaging ruby-nokogiri/CVE-2019-5477, I noticed this in [1]: ``` [...]This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
```The file lib/nokogiri/css/tokenizer.rb in nokogiri gets generated via rexical and is shipped in the nokogiri upstream repo.
Debian jessie did not have rexical, so I suppose the generated code was simply shipped in Debian jessie's version of ruby-nokogiri. Interesting, how to patch that...
However, in Debian stretch and beyond, we have rexical, however, I did not spend time on finding out, if ruby-nokogiri in stretch re-generates the lib/nokogiri/css/tokenizer.rb or if the upstream-shipped copy is used.
However, to address CVE-2019-5477 it should also be associated to the rexical src:pkg in stretch and later. @security-team: can you please update data/CVE/list appropriately (instead of me updating it and you correcting my change)? Thanks!
Greets, Mike[1] https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc
-- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpeL5ABeBfdh.pgp
Description: Digitale PGP-Signatur