GHSA-pxvg-2qj5-37jq: 
Ruby vulnerability analysis and mitigation

Nokogiri v1.14.3 addresses multiple vulnerabilities in its packaged libxml2 dependency by upgrading to version 2.10.4. The vulnerabilities include CVE-2023-29469, which involves non-deterministic hashing of empty dict strings, and CVE-2023-28484, which relates to a NULL pointer dereference in XML schema parsing. These issues affect the CRuby implementation of Nokogiri versions below 1.14.3 when using packaged libraries (GitHub Advisory).

The vulnerability in libxml2 before version 2.10.4 manifests in two ways: First, when hashing empty dict strings in crafted XML documents, the xmlDictComputeFastKey function in dict.c can produce non-deterministic values due to attempting to use the first byte of an empty string. Second, parsing of invalid XSD schemas can lead to a NULL pointer dereference in the xmlSchemaFixupComplexType function in xmlschemas.c, resulting in a segmentation fault (MITRE CVE, Libxml2 Commit).

The vulnerabilities can lead to various logic and memory errors, including double frees and application crashes through segmentation faults when processing untrusted inputs. The issues primarily affect applications parsing untrusted XML documents or schemas (GitHub Advisory).

Users are advised to upgrade to Nokogiri version 1.14.3 or later. For those unable to upgrade, an alternative mitigation involves compiling and linking Nokogiri against external libraries libxml2 version 2.10.4 or higher. Users who have overridden defaults to use system libraries should monitor their distribution's libxml2 release announcements (GitHub Advisory).