Investigate libxml2 patches in USN-5548-1

[flavorjones]

This issue is to track an investigation into the upstream patches applied by Canonical to the 2.9.10-derived version

References:

• https://ubuntu.com/security/notices/USN-5548-1
• https://ubuntu.com/security/CVE-2016-3709
• https://bugzilla.gnome.org/show_bug.cgi?id=769760

Summary of Analysis

This vulnerability was identified and addressed years ago in Nokogiri and in the downstream Loofah, Sanitize, and rails-html-sanitizer gems. No action necessary.

---

History of this issue

• 2022-08-07 Issue created after USN was issued and the Nokogiri maintainer came back from vacation
• 2022-08-07 Analysis complete, no action necessary, issue updated and closed.

[flavorjones]

Analysis

The CVE in question was fixed by GNOME/libxml2@c1ba6f5 in libxml 2.9.11. This version of libxml2 has been present since Nokogiri v1.11.4 released on 2021-05-14.

Note further, though, that this vulnerability was named in:

• CVE-2018-8048 in Loofah: CVE-2018-8048 - Loofah XSS Vulnerability flavorjones/loofah#144
• CVE-2018-3740 in Sanitize: [CVE-2018-3740] Sanitize HTML injection vulnerability rgrove/sanitize#176
• CVE-2018-3741 in rails-html-sanitizer: https://hackerone.com/reports/328270

and so the above patch was applied very early to Nokogiri's packaged libxml2 source, via commit 3872182, present in Nokogiri v1.8.3 released on 2018-06-16. Details can be found in #1746 or in the above linked reports.

Summary

This vulnerability was identified and addressed years ago in Nokogiri and in the downstream Loofah, Sanitize, and rails-html-sanitizer gems. No action necessary.