Source: ruby-nokogiri Version: 1.19.3+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for ruby-nokogiri. CVE-2026-57234[0]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, the NONET parse option, which | Nokogiri turns on by default for Nokogiri::XML::Schema (see | CVE-2020-26247), was not correctly enforced on the JRuby | implementation. As a result, a schema parsed with default options | could still cause external resources to be fetched over the network, | potentially enabling SSRF or XXE attacks. This vulnerability is | fixed in 1.19.4. CVE-2026-57235[1]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] | (and its alias #slice) checked the requested index against the node | set's bounds using a 32-bit-truncated copy of the index. A large | negative index could pass the check and then be used at full width, | reading outside the node set's storage. On CRuby this is an out-of- | bounds read that typically crashes the process; on JRuby it is not | memory-unsafe but returns an incorrect node. This vulnerability is | fixed in 1.19.4. CVE-2026-57236[2]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, calling Document#encoding= | with an invalid encoding (e.g., a non-string, or a string containing | a null byte) raises an exception, but only after freeing the | document's current encoding string without replacing it. The | document is left referencing freed memory, so the next call to | Document#encoding reads invalid memory, which can cause a segfault | or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) | implementation only; JRuby is not affected. This vulnerability is | fixed in 1.19.4. CVE-2026-57434[3]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, Nokogiri contains a bug when | calling certain methods on allocated-but-uninitialized native | wrapper classes that inherit from Nokogiri::XML::Node. This caused a | NULL pointer dereference that could crash the process. This | vulnerability is fixed in 1.19.4. CVE-2026-57435[4]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, Nokogiri’s CRuby native | extension could leave a Ruby wrapper pointing to freed memory when | replacing the value of an XML attribute. If Ruby code had already | accessed an attribute child node, Nokogiri::XML::Attr#value= could | free the underlying native child node while the wrapper remained | reachable through the document node cache. A later use of the freed | child node or a Ruby GC mark could dereference an invalid pointer, | causing an invalid read and a possible segfault. This vulnerability | is fixed in 1.19.4. CVE-2026-57436[5]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= | validated only that the new root was a Nokogiri::XML::Node, allowing | a DTD node to be set as the document root. The result is a heap use- | after-free during garbage collection or finalization, leading to an | invalid memory read or potentially a segfault. This vulnerability is | fixed in 1.19.4. CVE-2026-57437[6]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext | did not keep its source document alive for garbage collection. If an | XPathContext outlived its document and the document was collected, | evaluating an XPath expression could read invalid memory and | potentially segfault. This is only reachable when application code | constructs an XPathContext directly and lets the document become | unreachable while continuing to use the context. The normal | Document#xpath, #css, and related search methods are not affected, | and it is not triggerable by malicious document input. This | vulnerability is fixed in 1.19.4. CVE-2026-57438[7]: | Nokogiri is an open source XML and HTML library for the Ruby | programming language. Prior to 1.19.4, XInclude substitution | performed by Nokogiri::XML::Node#do_xinclude replaced each | <xi:include> in place, freeing the include node along with its | children (such as <xi:fallback> and its descendants) and any | namespaces declared on them. If an application had already exposed | one of those nodes or namespaces to Ruby, the corresponding Ruby | object was left pointing at freed memory. Using the object could | result in invalid reads or writes to memory. This vulnerability is | fixed in 1.19.4. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-57234 https://www.cve.org/CVERecord?id=CVE-2026-57234 [1] https://security-tracker.debian.org/tracker/CVE-2026-57235 https://www.cve.org/CVERecord?id=CVE-2026-57235 [2] https://security-tracker.debian.org/tracker/CVE-2026-57236 https://www.cve.org/CVERecord?id=CVE-2026-57236 [3] https://security-tracker.debian.org/tracker/CVE-2026-57434 https://www.cve.org/CVERecord?id=CVE-2026-57434 [4] https://security-tracker.debian.org/tracker/CVE-2026-57435 https://www.cve.org/CVERecord?id=CVE-2026-57435 [5] https://security-tracker.debian.org/tracker/CVE-2026-57436 https://www.cve.org/CVERecord?id=CVE-2026-57436 [6] https://security-tracker.debian.org/tracker/CVE-2026-57437 https://www.cve.org/CVERecord?id=CVE-2026-57437 [7] https://security-tracker.debian.org/tracker/CVE-2026-57438 https://www.cve.org/CVERecord?id=CVE-2026-57438 Regards, Salvatore
