GHSA-v6gp-9mmm-c6p5
Out-of-bounds Write in zlib affects Nokogiri
Details
## Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements.
## Mitigation
Upgrade to Nokogiri `>= v1.13.4`.
## Impact
### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib
- **Severity**: High - **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write - **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2018-25032 [ADVISORY]
- https://github.com/advisories/GHSA-jc36-42cf-vqwj [ADVISORY]
- https://github.com/sparklemotion/nokogiri [PACKAGE]
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 [WEB]
- https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer [WEB]