CRITICAL 9.8

GHSA-fr52-4hqw-p27f

Nokogiri does not forbid namespace nodes in XPointer ranges

상세

xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

RubyGems / nokogiri

최초 영향 버전: 0 수정 버전: 1.7.1

수정 bundle update nokogiri

참고

https://nvd.nist.gov/vuln/detail/CVE-2016-4658 [ADVISORY]
https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b [WEB]
https://security.gentoo.org/glsa/201701-37 [WEB]
https://support.apple.com/HT207141 [WEB]
https://support.apple.com/HT207142 [WEB]
https://support.apple.com/HT207143 [WEB]
https://support.apple.com/HT207170 [WEB]
http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html [WEB]
http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html [WEB]
http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html [WEB]
http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html [WEB]