-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2018-25032.yml
44 lines (37 loc) · 1.61 KB
/
CVE-2018-25032.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
gem: nokogiri
cve: 2018-25032
ghsa: v6gp-9mmm-c6p5
url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
title: Out-of-bounds Write in zlib affects Nokogiri
date: 2022-04-11
description: |
## Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032).
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used.
Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby)
for a complete description of which platform gems vendor `zlib`. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's `zlib`
release announcements.
## Mitigation
Upgrade to Nokogiri `>= v1.13.4`.
## Impact
### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib
- **Severity**: High
- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html)
Out of bounds write
- **Description**: zlib before 1.2.12 allows memory corruption when
deflating (i.e., when compressing) if the input has many distant matches.
cvss_v3: 7.5
patched_versions:
- ">= 1.13.4"
related:
ghsa:
- jc36-42cf-vqwj
url:
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ