HIGH 7.5
GHSA-7553-jr98-vx47
libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation
Details
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-7595 [ADVISORY]
- https://github.com/sparklemotion/nokogiri/issues/1992 [WEB]
- https://www.oracle.com/security-alerts/cpuoct2021.html [WEB]
- https://www.oracle.com/security-alerts/cpujul2022.html [WEB]
- https://www.oracle.com/security-alerts/cpujul2020.html [WEB]
- https://www.oracle.com/security-alerts/cpuapr2022.html [WEB]
- https://usn.ubuntu.com/4274-1 [WEB]
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08 [WEB]
- https://security.netapp.com/advisory/ntap-20200702-0005 [WEB]
- https://security.gentoo.org/glsa/202010-04 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL [WEB]
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html [WEB]
- https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076 [WEB]
- https://github.com/sparklemotion/nokogiri [PACKAGE]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml [WEB]
- https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html [WEB]