Skip to content

Commit b157c43

Browse files
authored
Merge pull request #1143 from jasnow/nokogiri-549-advs
GHSA/SYNC: And 4 more oj gem advisories
2 parents d3101eb + b6610eb commit b157c43

4 files changed

Lines changed: 115 additions & 0 deletions

File tree

gems/oj/CVE-2026-54900.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
---
2+
gem: oj
3+
cve: 2026-54900
4+
ghsa: 9cv6-qcjw-4grx
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
6+
title: Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling
7+
date: 2026-06-19
8+
description: |
9+
### Summary
10+
11+
`Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable
12+
to heap corruption via a negative-size `memcpy`. When a JSON object key
13+
is exactly 65,535 bytes long, an integer truncation in `form_attr`
14+
(`usual.c:63`) converts the length to `-1` before passing it to `memcpy`.
15+
This causes `memcpy` to copy `SIZE_MAX` bytes (interpreted as a huge
16+
`size_t`), corrupting heap memory and crashing the process.
17+
cvss_v4: 8.7
18+
patched_versions:
19+
- ">= 3.17.3"
20+
related:
21+
url:
22+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
23+
- https://rubygems.org/gems/oj/versions/3.17.3
24+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
25+
- https://github.com/ohler55/oj/pull/1015
26+
- https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx
27+
- https://github.com/advisories/GHSA-9cv6-qcjw-4grx
28+
notes: |
29+
- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.

gems/oj/CVE-2026-54901.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
---
2+
gem: oj
3+
cve: 2026-54901
4+
ghsa: vwm4-62gf-x745
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
6+
title: Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking
7+
date: 2026-06-19
8+
description: |
9+
### Summary
10+
11+
`Oj::Parser` in usual mode does not mark `array_class` and `hash_class`
12+
references during garbage collection. If GC runs after the class is
13+
assigned but before a parse, the class object is reclaimed, leaving
14+
the parser holding a dangling VALUE. The subsequent `parse` call
15+
dereferences the freed object, producing a segfault.
16+
cvss_v4: 8.7
17+
patched_versions:
18+
- ">= 3.17.3"
19+
related:
20+
url:
21+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
22+
- https://rubygems.org/gems/oj/versions/3.17.3
23+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
24+
- https://github.com/ohler55/oj/pull/1015
25+
- https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745
26+
- https://github.com/advisories/GHSA-vwm4-62gf-x745
27+
notes: |
28+
- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.

gems/oj/CVE-2026-54902.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
---
2+
gem: oj
3+
cve: 2026-54902
4+
ghsa: m578-w5vf-rfcm
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
6+
title: Oj - Use-After-Free in 'Oj::Parser' SAJ Long Key Callback
7+
date: 2026-06-19
8+
description: |
9+
### Summary
10+
11+
`Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes)
12+
from garbage collection. A Ruby callback that triggers GC inside
13+
`hash_end` can cause the key string to be reclaimed while the C
14+
parser still holds a pointer to it. The subsequent access to the
15+
freed string VALUE results in a segfault, confirmed by an
16+
RIP pointing to address `0x4242` (a canary-style pattern suggesting
17+
control over the freed memory's content).
18+
cvss_v4: 8.7
19+
patched_versions:
20+
- ">= 3.17.3"
21+
related:
22+
url:
23+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
24+
- https://rubygems.org/gems/oj/versions/3.17.3
25+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
26+
- https://github.com/ohler55/oj/pull/1015
27+
- https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm
28+
- https://github.com/advisories/GHSA-m578-w5vf-rfcm
29+
notes: |
30+
- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.

gems/oj/CVE-2026-54903.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
---
2+
gem: oj
3+
cve: 2026-54903
4+
ghsa: 475m-ph3x-64gp
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
6+
title: Oj - Integer Overflow in Oj.load 2GB String Handling
7+
date: 2026-06-19
8+
description: |
9+
### Summary
10+
11+
`Oj.load` is vulnerable to heap corruption when parsing a JSON string
12+
longer than 2 GB. An integer overflow in `buf_append_string`
13+
(`buf.h:61`) converts the string length to a large negative `size_t`,
14+
causing `memcpy` to copy an astronomically large amount of data out of
15+
bounds. This crashes the process and can corrupt adjacent heap memory.
16+
cvss_v4: 8.7
17+
patched_versions:
18+
- ">= 3.17.3"
19+
related:
20+
url:
21+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
22+
- https://rubygems.org/gems/oj/versions/3.17.3
23+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
24+
- https://github.com/ohler55/oj/pull/1015
25+
- https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp
26+
- https://github.com/advisories/GHSA-475m-ph3x-64gp
27+
notes: |
28+
- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.

0 commit comments

Comments
 (0)