Posted by hone and zzak on 29 Mar 2014

There is an overflow in URI escape parsing of YAML in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.

Details

Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution.

For example:

YAML . load < code_from_unknown_source >

Affected Versions

Ruby 1.9.3-p0 and above include psych as the default YAML parser. Any versions of psych linked against libyaml <= 0.1.5 are affected.

And, these versions of Ruby bundle an affected version of libyaml:

Ruby 2.0.0-p451 and earlier,

Ruby 2.1.0 and Ruby 2.1.1.

You can verify the version of libyaml used by running:

$ ruby -rpsych -e 'p Psych.libyaml_version' [ 0, 1, 5]

Solutions

Users who install libyaml to the system are recommended to update libyaml to 0.1.6 . When recompiling Ruby, point to the newly updated libyaml:

$ ./configure --with-yaml-dir = /path/to/libyaml

Users without a system libyaml rely on the embedded libyaml and are recommended to update psych to 2.0.5 which vendors libyaml 0.1.6 :

$ gem install psych

or, update your Ruby to 2.0.0-p481, 2.1.2 or newer.

History