DoS Vulnerabilities in Nokogiri on JRuby

[Mike Dalessio]

Please note: this email contains notices of two distinct DoS vulnerabilities in Nokogiri on JRuby.

--------------------

Memory Exhaustion Vulnerability in Nokogiri

There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory.

Versions Affected:  All.

Not affected:       1.4.x and earlier

Fixed Versions:     1.6.1, 1.5.11

Impact

------

Nokogiri users on JRuby using the native Java extension.  Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash.

Impacted code will look something like this:

  doc = Nokogiri.XML(untrusted_input)

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases

--------

The FIXED releases are available at the normal locations.

Workarounds

-----------

Strict parsing can be used to work around this issue.  For example, change this code:

  doc = Nokogiri.XML(untrusted_input)

to this code:

  begin

    doc = Nokogiri.XML(untrusted_input) { |c| c.strict }

  rescue Nokogiri::XML::SyntaxError

    # error handling

  end

Patches

-------

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 1-6-malformed_parser_tracking.patch - Patch for 1.6 series

* 1-5-malformed_parser_tracking.patch - Patch for 1.5 series

Please note that only the 1.5.x and 1.6.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

-------

Thanks to Yoko Harada and John Shahid for reporting and fixing this.

--------------------

Entity Expansion Vulnerability in Nokogiri

There is an entity expansion vulnerability in Nokogiri when using JRuby.

Versions Affected:  All.

Not affected:       1.4.x and earlier

Fixed Versions:     1.6.1, 1.5.11

Impact

------

Nokogiri users on JRuby using the native Java extension.  Attackers can send

XML documents with carefully crafted entity expansion strings which can cause

the server to run out of memory and crash.

Impacted code will look something like this:

  doc = Nokogiri.XML(untrusted_input)

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases

--------

The FIXED releases are available at the normal locations.

Workarounds

-----------

Strict parsing can be used to work around this issue.  For example, change

this code:

  doc = Nokogiri.XML(untrusted_input)

to this code:

  begin

    doc = Nokogiri.XML(untrusted_input) { |c| c.strict }

  rescue Nokogiri::XML::SyntaxError

    # error handling

  end

Patches

-------

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 1-6-entity_expansion.patch - Patch for 1.6 series

* 1-5-entity_expansion.patch - Patch for 1.5 series

Please note that only the 1.5.x and 1.6.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

-------

Thanks to Jonas Nicklas for reporting this, and John Shahid for fixing this.