2074340 – (CVE-2022-24839) CVE-2022-24839 nokogiri: Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)

Bug 2074340 (CVE-2022-24839) - CVE-2022-24839 nokogiri: Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)

Summary: CVE-2022-24839 nokogiri: Uncontrolled Resource Consumption in org.cyberneko.h...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-24839
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2074341 2074342 2074777 2074778 2074779 2075226
Blocks:	2074343
TreeView+	depends on / blocked

Reported:	2022-04-12 04:35 UTC by Avinash Hanwate
Modified:	2022-07-07 11:54 UTC (History)
CC List:	30 users (show)
Fixed In Version:	rubygem-nokogiri 1.9.22.noko2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the nokogiri library when processing an ill-formed HTML markup. This flaw allows an attacker to cause uncontrolled resource consumption, which affects performance.
Clone Of:
Environment:
Last Closed:	2022-06-01 12:33:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2022-04-12 04:35:08 UTC

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. 

Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Comment 1 Avinash Hanwate 2022-04-12 04:35:47 UTC

Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2074341]
Affects: fedora-all [bug 2074342]

Comment 4 Jun Aruga 2022-06-01 12:33:29 UTC

I think the rubygem-nokogiri RPM doesn't ship the Java part at least on Fedora package. We can just close this ticket.
https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/rawhide/f/rubygem-nokogiri.spec#_61
https://src.fedoraproject.org/rpms/rubygem-nokogiri/blob/rawhide/f/rubygem-nokogiri.spec#_144
> rm -rf .%{gem_instdir}/ext/java

Note You need to log in before you can comment on or make changes to this bug.

akarol
bbuckingham
bcourt
btotty
dmetzger
ehelms
extras-orphan
gmccullo
gtanzill
jaruga
jfrey
jhardy
jsherril
lzap
mhulan
mmccune
mtasaka
myarboro
nmoumoul
obarenbo
orabin
pcreech
pvalena
rchan
roliveri
ruby-maint
simaishi
smallamp
vanmeeuwen+fedora
vondruch