RubySec

Providing security resources for the Ruby community

CVE-2015-7499 (nokogiri): Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2

ADVISORIES

GEM

nokogiri

SEVERITY

CVSS v2: 5.0 (Medium)

UNAFFECTED VERSIONS

  • < 1.6.0

PATCHED VERSIONS

  • >= 1.6.7.2

DESCRIPTION

Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.

libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.