Fix for: Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads

Asked 7/4, 2014 at 17:36 Answered 15/10, 2015 at 11:33

I get the following error when running rspec after I added the vcr gem. Simply running gem install psych -- --enable-bundled-libyaml as suggested doesn't solve the problem. I am using rbenv and ruby-build and I am on ruby 2.1.1. What do i have to do to fix this?

SafeYAML Warning
  ----------------

  You appear to have an outdated version of libyaml (0.1.4) installed on your system.

  Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.

  For more info, see:
  https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/

  The easiest thing to do right now is probably to update Psych to the latest version and enable
  the 'bundled-libyaml' option, which will install a vendored libyaml with the vulnerability patched:

  gem install psych -- --enable-bundled-libyaml

Huygens answered 7/4, 2014 at 17:36 Comment(1)

getting the exact same problem here on 2.0.0p353 – Didache 7/4, 2014 at 18:52

First, you have to update Ruby-build, they have recently patched this security issue. Now, it installs libyaml 0.1.6 to compile Ruby.

$ rm -rf ~/.rbenv/plugins/ruby-build
$ git clone https://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build

Recompile, reinstall the Ruby version you are using, 2.0.0-p451 in my case:

$ rbenv install 2.0.0-p451
rbenv: /home/ubuntu/.rbenv/versions/2.0.0-p451 already exists
continue with installation? (y/N) y
Downloading yaml-0.1.6.tar.gz...
-> http://dqw8nmjcqpjn7.cloudfront.net/5fe00cda18ca5daeb43762b80c38e06e
...

And it worked in my case.

Mate answered 8/4, 2014 at 22:15 Comment(0)

I just followed the instructions in this reply https://mcmap.net/q/50026/-how-to-solve-quot-ruby-installation-is-missing-psych-quot-error and it seems to have done the trick. I did it slightly different however:

rvm pkg install libyaml
rvm get stable
rvm reinstall all --force

This might not help if you are using system Ruby, and will obviously be different with rbenv.

Didache answered 7/4, 2014 at 19:14 Comment(4)

For some reason on osx (10.9.2) rvm pkg install libyaml is installing 0.1.5, so this doesn't do anything for me. – Contredanse 7/4, 2014 at 22:56

@Contredanse see if this answer helps: #22920490 – Bireme 9/4, 2014 at 0:8

@Bireme seems like brew already had 0.1.6 installed. tried reinstalling to no avail. :( – Contredanse 9/4, 2014 at 17:17

Mine failed on Fetching yaml-0.1.4.tar.gz with a 404 error for rvm.io/src/yaml-0.1.4.tar.gz – Bucket 30/4, 2014 at 16:55

As a user of rvm, I managed to get my set up to play ball by building 0.1.6 release of libyaml, then (re)installing Ruby, passing the following configure flag

rvm install 1.9.3 -- --with-libyaml-dir=/usr/local

Hope this helps people in the short-term until the dust settles.

Olivette answered 11/4, 2014 at 13:17 Comment(1)

Of all the suggestions on the linked posts about this issue... this one worked! I had to reinstall the gem causing the issue after this, but then it worked! Reinstalling the gem without this rvm install did not fix the issue. – Circumrotate 12/4, 2014 at 19:10

If you're on Mac OS X / Mavericks then you may be running on the system-installed Ruby. Thoughbot encourages you not to do this. I was having this problem as well, so I followed their advice and installed brew and rbenv and the problem went away.

Monroy answered 20/4, 2014 at 4:0 Comment(0)

For rvm this worked for me:

rvm pkg install libyaml
$LIBYAML_PATH will be the path where RVM installs the upated yaml
rvm get stable
rvm reinstall all --force --with-libyaml-dir=$LIBYAML_PATH

http://synaptian.com/2014/04/fixing-the-safeyaml-warning-on-ubuntu-12-04-with-rvm/

Kris answered 15/10, 2015 at 11:33 Comment(0)

Recommended topics

Hot tags