Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 495218 - <dev-ruby/nokogiri- Two Denial of Service Vulnerabilities
Summary: <dev-ruby/nokogiri- Two Denial of Service Vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2013-12-24 11:52 UTC by Agostino Sarubbo
Modified: 2015-07-20 16:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-24 11:52:52 UTC
From ${URL} :


Two vulnerabilities have been reported in the Nokogiri gem for Ruby, which can be exploited by 
malicious people to cause a DoS (Denial of Service).

1) An error when parsing XML documents can be exploited to cause an infinite loop and subsequently 
exhaust memory and cause a crash via a specially crafted XML document.

2) An error when parsing XML entities and can be exploited to exhaust memory and cause a crash via 
a specially crafted XML document including external entity references.

The vulnerabilities are reported in the 1.6.x versions prior to 1.6.1 and the 1.5.x versions prior 
to 1.5.11 running on JRuby.

Update to version 1.6.1 or 1.5.11 or apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
The vendor credits:
1) Yoko Harada and John Shahid.
2) Jonas Nicklas.

Original Advisory:!topic/ruby-security-ann/DeJpjTAg1FA

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev 2013-12-24 14:18:48 UTC
Upstream doesn't have release tags for these versions so we can't easily bump this. I've filed a bug for this:

Note that this issue only affects nokogiri when used with jruby. The wording in the bug is ambigous regarding 1.6.1, but this is also only relevant when using jruby.
Comment 2 Hans de Graaff gentoo-dev 2015-07-10 06:31:11 UTC
Current stable nokogiri version is and I just removed 1.5.10 which was still vulnerable.
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-07-10 11:42:06 UTC
All vulnerable versions have been removed. 

GLSA Coordinators: Please vote
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-07-10 12:13:30 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-20 16:54:55 UTC
GLSA Vote: No