HIGH 7.5 RubyGems
Out-of-bounds Write in zlib affects Nokogiri
GHSA-v6gp-9mmm-c6p5
Published ยท Modified
Description
Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.
Mitigation
Upgrade to Nokogiri >= v1.13.4.
Impact
CVE-2018-25032 in zlib
- Severity: High
- Type: CWE-787 Out of bounds write
- Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
References
- WEB https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-25032
- ADVISORY https://github.com/advisories/GHSA-jc36-42cf-vqwj
- PACKAGE https://github.com/sparklemotion/nokogiri
- WEB https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- WEB https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
Ready to move
Start Securing
Free, no credit card | First findings in minutes