Skip to content

GHSA SYNC: 1 brand new advisory #868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 22, 2025
Merged

GHSA SYNC: 1 brand new advisory #868

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions gems/nokogiri/GHSA-5w6v-399v-w3cc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
---
gem: nokogiri
ghsa: 5w6v-399v-w3cc
url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
title: Nokogiri updates packaged libxml2 to v2.13.8 to resolve
CVE-2025-32414 and CVE-2025-32415
date: 2025-04-21
description: |
## Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to
[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).

libxml2 v2.13.8 addresses:

- CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

## Impact

### CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds
memory access can occur in the Python API (Python bindings) because
of an incorrect return value. This occurs in xmlPythonFileRead and
xmlPythonFileReadRaw because of a difference between bytes and characters.

**There is no impact** from this CVE for Nokogiri users.

### CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2,
xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer
under-read. To exploit this, a crafted XML document must be validated
against an XML schema with certain identity constraints, or a
crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

> The bug affects validation against untrusted XML Schemas (.xsd)
> and validation of untrusted documents against trusted Schemas if
> they make use of xsd:keyref in combination with recursively
> defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW
(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.
patched_versions:
- ">= 1.18.8"
related:
cve:
- CVE-2025-32414
- CVE-2025-32415
url:
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
- https://github.com/advisories/GHSA-5w6v-399v-w3cc