Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 884863 (CVE-2022-23476) - <dev-ruby/nokogiri-1.13.10: denial of service
Summary: <dev-ruby/nokogiri-1.13.10: denial of service
Status: IN_PROGRESS
Alias: CVE-2022-23476
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/sparklemotion/noko...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 885439
Blocks:
  Show dependency tree
 
Reported: 2022-12-08 18:05 UTC by John Helmert III
Modified: 2023-10-07 08:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 18:05:13 UTC 
CVE-2022-23476:

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

Please stabilize 1.13.10.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-11 23:37:31 UTC 
Please cleanup.
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-07 08:53:22 UTC 
commit 174a6378aae468e3127984fc2a99a06116d8a55a
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Tue Jan 31 08:19:47 2023 +0100

    dev-ruby/nokogiri: drop 1.13.6