Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14Yzl4LWpqNzctOXA5as4AA5Ek

Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.

libxml2 v2.12.5 addresses the following vulnerability:

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.16.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.12.5 which will also address these same issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

Permalink: https://github.com/advisories/GHSA-xc9x-jj77-9p9j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Yzl4LWpqNzctOXA5as4AA5Ek
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 25 days ago
Updated: 25 days ago


Identifiers: GHSA-xc9x-jj77-9p9j
References:

Affected Packages

rubygems:nokogiri
Versions: < 1.16.2
Fixed in: 1.16.2