Ox gem stack overflow in sax_parse

2018-03-0518:29:32

Google

osv.dev

0.001 Low

EPSS

Percentile

28.7%

JSON

In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the read_from_str function in sax_buf.c when a crafted input is supplied to sax_parse.

CPENameOperatorVersion
oxeq1.2.1
oxeq2.7.0
oxeq1.2.5
oxeq1.3.5
oxeq2.4.6
oxeq2.5.0
oxeq1.5.0
oxeq2.1.0
oxeq1.9.0
oxeq1.8.1

Name	Operator	Version
ox	eq	1.2.1
ox	eq	2.7.0
ox	eq	1.2.5
ox	eq	1.3.5
ox	eq	2.4.6
ox	eq	2.5.0
ox	eq	1.5.0
ox	eq	2.1.0
ox	eq	1.9.0
ox	eq	1.8.1

Rows per page:

1-10 of 1171

References

github.com/ohler55/ox

github.com/ohler55/ox/issues/195

github.com/rubysec/ruby-advisory-db/blob/master/gems/ox/CVE-2017-16229.yml

nvd.nist.gov/vuln/detail/CVE-2017-16229

rubygems.org/gems/ox/versions/2.8.1

0.001 Low

EPSS

Percentile

28.7%

JSON

Related for OSV:GHSA-WFWM-CHJ7-W59R