|
| 1 | +--- |
| 2 | +gem: nokogiri |
| 3 | +ghsa: pxvg-2qj5-37jq |
| 4 | +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq |
| 5 | +title: Update packaged libxml2 to v2.10.4 to resolve multiple CVEs |
| 6 | +date: 2023-04-11 |
| 7 | +description: | |
| 8 | + ### Summary |
| 9 | +
|
| 10 | + Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to |
| 11 | + [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3. |
| 12 | +
|
| 13 | + libxml2 v2.10.4 addresses the following known vulnerabilities: |
| 14 | +
|
| 15 | + - [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of |
| 16 | + empty dict strings isn't deterministic |
| 17 | + - [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref |
| 18 | + in xmlSchemaFixupComplexType |
| 19 | + - Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK |
| 20 | +
|
| 21 | + Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`, |
| 22 | + and only if the _packaged_ libraries are being used. If you've overridden defaults at installation |
| 23 | + time to use _system_ libraries instead of packaged libraries, you should instead pay attention to |
| 24 | + your distro's `libxml2` release announcements. |
| 25 | +
|
| 26 | +
|
| 27 | + ### Mitigation |
| 28 | +
|
| 29 | + Upgrade to Nokogiri `>= 1.14.3`. |
| 30 | +
|
| 31 | + Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile |
| 32 | + and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these |
| 33 | + same issues. |
| 34 | +
|
| 35 | +
|
| 36 | + ### Impact |
| 37 | +
|
| 38 | + No public information has yet been published about the security-related issues other than the |
| 39 | + upstream commits. Examination of those changesets indicate that the more serious issues relate to |
| 40 | + libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs. |
| 41 | +
|
| 42 | + The commits can be examined at: |
| 43 | +
|
| 44 | + - [\[CVE-2023-29469\] Hashing of empty dict strings isn't deterministic (09a2dd45)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64) |
| 45 | + - [\[CVE-2023-28484\] Fix null deref in xmlSchemaFixupComplexType (647e072e)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f) |
| 46 | + - [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6) |
| 47 | +patched_versions: |
| 48 | +- ">= 1.14.3" |
| 49 | +related: |
| 50 | + url: |
| 51 | + - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4 |
| 52 | + cve: |
| 53 | + - 2023-29469 |
| 54 | + - 2023-28484 |
0 commit comments