Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 495218 - <dev-ruby/nokogiri-1.6.4.1: Two Denial of Service Vulnerabilities
Summary: <dev-ruby/nokogiri-1.6.4.1: Two Denial of Service Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/56179/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-24 11:52 UTC by Agostino Sarubbo
Modified: 2015-07-20 16:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-24 11:52:52 UTC
From ${URL} :

Description

Two vulnerabilities have been reported in the Nokogiri gem for Ruby, which can be exploited by 
malicious people to cause a DoS (Denial of Service).

1) An error when parsing XML documents can be exploited to cause an infinite loop and subsequently 
exhaust memory and cause a crash via a specially crafted XML document.

2) An error when parsing XML entities and can be exploited to exhaust memory and cause a crash via 
a specially crafted XML document including external entity references.

The vulnerabilities are reported in the 1.6.x versions prior to 1.6.1 and the 1.5.x versions prior 
to 1.5.11 running on JRuby.


Solution:
Update to version 1.6.1 or 1.5.11 or apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
The vendor credits:
1) Yoko Harada and John Shahid.
2) Jonas Nicklas.

Original Advisory:
https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev 2013-12-24 14:18:48 UTC
Upstream doesn't have release tags for these versions so we can't easily bump this. I've filed a bug for this: https://github.com/sparklemotion/nokogiri/issues/1025

Note that this issue only affects nokogiri when used with jruby. The wording in the bug is ambigous regarding 1.6.1, but this is also only relevant when using jruby.
Comment 2 Hans de Graaff gentoo-dev 2015-07-10 06:31:11 UTC
Current stable nokogiri version is 1.6.4.1 and I just removed 1.5.10 which was still vulnerable.
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-07-10 11:42:06 UTC
All vulnerable versions have been removed. 

GLSA Coordinators: Please vote
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-10 12:13:30 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2015-07-20 16:54:55 UTC
GLSA Vote: No