GHSA-2QC6-MCVW-92CW
Vulnerability from github – Published: 2022-10-18 18:12 – Updated: 2022-10-18 18:13
VLAI
Summary
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Details
Summary
Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.
libxml2 v2.10.3 addresses the following known vulnerabilities:
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.9.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.
Impact
libxml2 CVE-2022-2309
- CVSS3 score: Under evaluation
- Type: Denial of service
- Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.
libxml2 CVE-2022-40304
- CVSS3 score: Unspecified upstream
- Type: Data corruption, denial of service
- Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2
libxml2 CVE-2022-40303
- CVSS3 score: Unspecified upstream
- Type: Integer overflow
- Description: Integer overflows with XML_PARSE_HUGE
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
References
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2022-10-18T18:12:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nNokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to [v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from v2.9.14.\n\nlibxml2 v2.10.3 addresses the following known vulnerabilities:\n\n- [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)\n- [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)\n- [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri `\u003c 1.13.9`, and only if the _packaged_ libraries are being used. If you\u0027ve overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro\u0027s `libxml2` release announcements.\n\n\n### Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.13.9`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `\u003e= 2.10.3` which will also address these same issues.\n\n\n### Impact\n\n#### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)\n\n- **CVSS3 score**: Under evaluation\n- **Type**: Denial of service\n- **Description**: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn\u0027t be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.\n\nNokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.\n\n\n#### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)\n\n- **CVSS3 score**: Unspecified upstream\n- **Type**: Data corruption, denial of service\n- **Description**: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.\n\nSee https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2\n\n\n#### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)\n\n- **CVSS3 score**: Unspecified upstream\n- **Type**: Integer overflow\n- **Description**: Integer overflows with XML_PARSE_HUGE\n\nSee https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0\n\n\n### References\n\n- [libxml2 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases)\n- [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)\n- [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)\n- [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)\n",
"id": "GHSA-2qc6-mcvw-92cw",
"modified": "2022-10-18T18:13:48Z",
"published": "2022-10-18T18:12:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Update bundled libxml2 to v2.10.3 to resolve multiple CVEs"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…