GHSA-v6gp-9mmm-c6p5
Out-of-bounds Write in zlib affects Nokogiri
상세
## Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements.
## Mitigation
Upgrade to Nokogiri `>= v1.13.4`.
## Impact
### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib
- **Severity**: High - **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write - **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2018-25032 [ADVISORY]
- https://github.com/advisories/GHSA-jc36-42cf-vqwj [ADVISORY]
- https://github.com/sparklemotion/nokogiri [PACKAGE]
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 [WEB]
- https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer [WEB]