Posted by hone and zzak on 29 Mar 2014
There is an overflow in URI escape parsing of YAML in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.
Details
Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution.
For example:
YAML.load <code_from_unknown_source>Affected Versions
Ruby 1.9.3-p0 and above include psych as the default YAML parser.
Any versions of psych linked against libyaml <= 0.1.5 are affected.
And, these versions of Ruby bundle an affected version of libyaml:
- Ruby 2.0.0-p451 and earlier,
- Ruby 2.1.0 and Ruby 2.1.1.
You can verify the version of libyaml used by running:
$ ruby -rpsych -e 'p Psych.libyaml_version'
[0, 1, 5]Solutions
Users who install libyaml to the system are recommended to update libyaml to 0.1.6.
When recompiling Ruby, point to the newly updated libyaml:
$ ./configure --with-yaml-dir=/path/to/libyamlUsers without a system libyaml rely on the embedded libyaml and are recommended
to update psych to 2.0.5 which vendors libyaml 0.1.6:
$ gem install psychor, update your Ruby to 2.0.0-p481, 2.1.2 or newer.
History
- Originally published at 2014-03-29 01:49:25 UTC
- Update published at 2014-03-29 09:37:00 UTC
- Update published at 2014-05-09 03:00:00 UTC