Lucene search

K
githubGitHub Advisory DatabaseGHSA-V6GP-9MMM-C6P5
HistoryApr 11, 2022 - 9:21 p.m.

Out-of-bounds Write in zlib affects Nokogiri

2022-04-1121:21:28
CWE-787
GitHub Advisory Database
github.com
29

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 “High” on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you’ve overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro’s zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

  • Severity: High
  • Type: CWE-787 Out of bounds write
  • Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CPENameOperatorVersion
nokogirilt1.13.4
Related for GHSA-V6GP-9MMM-C6P5