Fluid Attacks Database

Description

Out-of-bounds read in nokogiri libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. GitHub is notifying on nokogiri as uses libxml2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	nokogiri	>=0 <1.8.1	1.8.1
debian 11	libxml2	>=0 <2.9.4+dfsg1-3.1	2.9.4+dfsg1-3.1
debian 12	libxml2	>=0 <2.9.4+dfsg1-3.1	2.9.4+dfsg1-3.1
debian 13	libxml2	>=0 <2.9.4+dfsg1-3.1	2.9.4+dfsg1-3.1
debian 14	libxml2	>=0 <2.9.4+dfsg1-3.1	2.9.4+dfsg1-3.1
rpm rhel7	libxml2	-	-
nuget	libxml2	=2.9.4	-
rpm rhel8	mingw-libxml2	-	-
rpm rhel5	libxml2	-	-
rpm rhel6	libxml2	-	-

Aliases

1. CVE-2017-90502. NVD-2017-90503. OSV-2017-90504. OSV-DEBIAN-2017-90505. GCVE-2017-90506. security.gentoo.org7. SECURITY-TRACKER-CVE-2017-9050

References

1. http://www.debian.org/security/2017/dsa-39522. http://www.openwall.com/lists/oss-security/2017/05/15/1