Bug 884863 (CVE-2022-23476)

Summary:	<dev-ruby/nokogiri-1.13.10: denial of service
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
Whiteboard:	A3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	885439
Bug Blocks:

Description John Helmert III archtester

2022-12-08 18:05:13 UTC

CVE-2022-23476:

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

Please stabilize 1.13.10.

Comment 1 John Helmert III archtester

2022-12-11 23:37:31 UTC

Please cleanup.

Comment 2 Hans de Graaff gentoo-dev

2023-10-07 08:53:22 UTC

commit 174a6378aae468e3127984fc2a99a06116d8a55a
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Tue Jan 31 08:19:47 2023 +0100

    dev-ruby/nokogiri: drop 1.13.6