nokogiri has a copied version of the Libxml2 library. Libxml2 is susceptible to 2 stack overflow vulnerabilities. The first is CVE-2017-9047. The function xmlSnprintfElementContent
in valid.c
does not recursively dump the element content definition into a char buffer buf
of size size
. When the content->prefix
is appended to buf
, the content->name
is written to the buffer. It checks whether the name will fit into the buffer, however it uses the len
variable as the buffer length rather than the concatenated strlen(buf)
variable. This only happens when content->type
is XML_ELEMENT_CONTENT_ELEMENT
. Failing to do this check correctly, allows attackers to write extra bytes beyond the allocated memory. The second is CVE-2017-9048. The end of the function xmlSnprintfElementContent
in valid.c
. Libxml2 doesnโt check that strlen(buf) +2 < size
which allows the function to strcat
2 more characters.
seclists.org/oss-sec/2017/q2/258
www.debian.org/security/2017/dsa-3952
www.openwall.com/lists/oss-security/2017/05/15/1
www.securityfocus.com/bid/98599
bugzilla.novell.com/show_bug.cgi?id=1039063
bugzilla.novell.com/show_bug.cgi?id=1039064
github.com/GNOME/libxml2/commit/932cc9896ab41475d4aa429c27d9afd175959d74
github.com/sparklemotion/nokogiri/issues/1673
lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
security.gentoo.org/glsa/201711-01