We recently discovered and disclosed two vulnerabilities in Nokogiri , a popular Ruby library. This is a great example of a “Copy-Paste Vulnerability” (CPV), so I wanted to share some details on how we discovered, verified, and disclosed these issues.
You can read up on the vulnerabilities in our Registry:
- SRCCLR-SID-2416: Copy-paste Vulnerability (CPV) Through libxml2
- SRCCLR-SID-2417: Copy-paste Vulnerability (CPV) Through libxslt
These issues were not found in Nokigiri directly, but in an embedded version of the C libraries libxml2 and libxslt. The Nokigiri team responded quickly and has released a fixed version, v1.6.8.
I started by investigating a few libxml2 vulnerabilities ( CVE-2016-4447 , CVE-2016-4448 , CVE-2016-4449 ), looking for instances of Copy-paste Vulnerabilities. This is when libraries statically build and embed another library to use in its packages. As you might guess, these are pretty hard to track. I looked at Nokogiri’s dependencies and then installed the gem to verify that the affected version of libxml2, as well as libxslt, were being used.
I verified that vulnerable versions of both libraries were being used. Specifically, Nokogiri was found to be vulnerable to:
CVE-2016-4447 , which is caused when a heap-based buffer underread happens in
xmlParseNamein parser.c . It is potentially vulnerable if an application processes arbitrary, untrusted, user-supplied XML file
CVE-2016-4448 , where it is possible to carry out format string attacks
CVE-2016-4449 , where the parser would fetch the content of external entities while in non-validating mode
CVE-2015-7995 , where attackers can cause a Denial of Service (DoS) attack with a specially crafted XSLT document. The vulnerability exists due to a type confusion issue in the preprocessing attribute where the
xsltStylePreComputefunction in preproc.c in libxslt 1.1.28 does not check if the parent node is an element
Furthermore, when verifying our discovery, the Nokogiri maintainers identified a vulnerability in libxslt as well: CVE-2015-7995
The rest of the dislosure timeline looks like this:
- 05/26/2016 – Email notification to the Nokogiri maintainers
- 05/27/2016 – The maintainers acknowledged the issue
- 05/28/2016 – The maintainers asked for additional information
- 05/30/2016 – We responded with additional details
- 05/31/2016 – The maintainers notified me of an additional vulnerability (CVE-2015-7995) they discovered in another embedded C library, libxslt 1.1.28
- 05/31/2016 – The maintainers created a GitHub Issue to track their fix
- 06/01/2016 – SourceClear published the vulnerability artifacts in our Registry (, )
- 06/06/2016 – A fixed version (1.6.8) of Nokogiri is released
Detecting Copy-paste Vulnerabilities is uniquely challenging, but we’re always glad for the opportunity to put our research skills to work in making the open source community safer.
If you’re interested to know more about how we find such Copy-paste Vulnerabilities, you can vote for Vanessa Henderson’s talk at the next Hack In The Box conference in Singapore , where she will cover several detection and mitigation strategies.