HIGH 7.5

GHSA-8c56-cpmw-89x7

Out-of-bounds read in nokogiri

Details

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. GitHub is notifying on nokogiri as uses libxml2.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / nokogiri

Introduced in: 0 Fixed in: 1.8.1

Fix bundle update nokogiri

References

https://nvd.nist.gov/vuln/detail/CVE-2017-9050 [ADVISORY]
https://security.gentoo.org/glsa/201711-01 [WEB]
http://www.debian.org/security/2017/dsa-3952 [WEB]
http://www.openwall.com/lists/oss-security/2017/05/15/1 [WEB]