Posted by hone and zzak on 29 Mar 2014
There is an overflow in URI escape parsing of YAML in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.
Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution.
Ruby 1.9.3-p0 and above include psych as the default YAML parser.
Any versions of psych linked against libyaml
<= 0.1.5 are affected.
And, these versions of Ruby bundle an affected version of libyaml:
- Ruby 2.0.0-p451 and earlier,
- Ruby 2.1.0 and Ruby 2.1.1.
You can verify the version of libyaml used by running:
$ ruby -rpsych -e 'p Psych.libyaml_version' [0, 1, 5]
Users who install libyaml to the system are recommended to update libyaml to
When recompiling Ruby, point to the newly updated libyaml:
$ ./configure --with-yaml-dir=/path/to/libyaml
Users without a system libyaml rely on the embedded libyaml and are recommended
to update psych to
2.0.5 which vendors libyaml
$ gem install psych
or, update your Ruby to 2.0.0-p481, 2.1.2 or newer.
- Originally published at 2014-03-29 01:49:25 UTC
- Update published at 2014-03-29 09:37:00 UTC
- Update published at 2014-05-09 03:00:00 UTC