Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.
libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5
, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt
release announcements.
Upgrade to Nokogiri >= 1.13.5
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14
which will also address these same issues.
All versions of libml2 prior to v2.9.14 are affected.
Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.
{ "nvd_published_at": null, "github_reviewed_at": "2022-05-18T20:06:48Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-190" ] }