GMS-2022-787: Out-of-bounds Write in zlib affects Nokogiri
Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 “High” on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you’ve overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro’s zlib release announcements.
Mitigation
Upgrade to Nokogiri >= v1.13.4.
Impact
<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-25032" target="_blank" rel="nofollow">CVE-2018-25032</a> in zlib
- Severity: High
- Type: CWE-787 Out of bounds write
- Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
References
- github.com/advisories/GHSA-jc36-42cf-vqwj
- github.com/advisories/GHSA-v6gp-9mmm-c6p5
- github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
- groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
- nvd.nist.gov/vuln/detail/CVE-2018-25032
Code Behaviors & Features
Detect and mitigate GMS-2022-787 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →