Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)

Posted by hone and zzak on 29 Mar 2014

There is an overflow in URI escape parsing of YAML in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.

Details

Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution.

For example:

YAML.load <code_from_unknown_source>

Affected Versions

Ruby 1.9.3-p0 and above include psych as the default YAML parser. Any versions of psych linked against libyaml <= 0.1.5 are affected.

And, these versions of Ruby bundle an affected version of libyaml:

• Ruby 2.0.0-p451 and earlier,
• Ruby 2.1.0 and Ruby 2.1.1.

You can verify the version of libyaml used by running:

$ ruby -rpsych -e 'p Psych.libyaml_version'
[0, 1, 5]

Solutions

Users who install libyaml to the system are recommended to update libyaml to 0.1.6. When recompiling Ruby, point to the newly updated libyaml:

$ ./configure --with-yaml-dir=/path/to/libyaml

Users without a system libyaml rely on the embedded libyaml and are recommended to update psych to 2.0.5 which vendors libyaml 0.1.6:

$ gem install psych

or, update your Ruby to 2.0.0-p481, 2.1.2 or newer.

History

• Originally published at 2014-03-29 01:49:25 UTC
• Update published at 2014-03-29 09:37:00 UTC
• Update published at 2014-05-09 03:00:00 UTC