nokogiri gem, versions <1.7.2

[irew]

Hi,

I have a message from someone using https://www.hackerone.com/. They posted:

I was looking through some of your github code and came across a couple vulnerabilities in your dependencies.
Arbitrary Code Execution and Out of Bounds Memory Write (several more issues). Upgrading nokogiri would remediate all potential vulnerabilities
CVE-2016-4738
Affecting nokogiri gem, versions <1.7.2
Vulnerable module: nokogiri 1.6.6.2
Introduced through: slather@1.8.1
ISSUE:
nokogiri is an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors.
Affected versions of the package are vulnerable to Arbitrary Code Execution or a Denial of Service (memory corruption) via a crafted web site. Nokogiri bundles the libxslt library, which is vulnerable in versions below 3. The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Additional issues with nokogiri
The CVEs assigned to the vulnerabilities are:
CVE-2017-0663
It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code.
CVE-2017-7375
It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information.
CVE-2017-7376
It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code.
CVE-2017-9047
A buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code.
CVE-2017-9048
A buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service.
CVE-2017-9049, CVE-2017-9050
Multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service.
THE FIX:
Upgrade nokogiri to version 1.8.1 or higher to fix all issues with nokogiri

Just thought I'd just let you know.

[iosdevzone]

Hi there,

First of all, thanks for making me aware of this issue!

The reported vulnerability is related to libxml which is used indirectly (via slather and nokogiri) during testing of the library. None of these libraries are linked into the library itself so this is not a worry for users of the library.

Theoretically the vulnerability could be exploited on a CI server if someone was doing coverage tests and if the attacker has access to the test scripts. This all seems a little improbable, but out of an abundance of caution I'll review how slather is used and see if can be updated.

I'll leave this issue open until such time as I have completed the review.

Thanks!

[irew]

Hey, thanks for the quick response! I'll forward your response to the user, cheers!

[iosdevzone]

Closing this. To recap:

• Nokogiri was only used during build when running tests
• The version referenced has now been updated
• The CI testing has been disabled because it does not seem to be working correctly