29 Mar '14, 2am

Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)

Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525) There is an overflow in URI escape parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525 . Details Any time a string in YAML with tags is parsed, a specially crafted string can cause a heap overflow which can lead to arbitrary code execution. For example: YAML . load < code_from_unknown_source > Affected Versions Ruby 1.9.3-p0 and above include psych as the default YAML parser. Any version of psych linked against libyaml <= 0.1.5 are affected. You can verify the version of libyaml used by running: $ ruby - rpsych - e 'p Psych.libyaml_version' [ 0 , 1 , 5 ] Solutions Users who install libyaml to the system are recommended to update libyaml to 0.1.6. When recompiling Ruby, point to the newly updated libyaml: ./configure --with-yaml-dir=/path/to/libyaml Users without a system libyaml rel...

Full article: https://www.ruby-lang.org/en/news/2014/03/29/heap-overflo...

Tweets

Vulnerabilidade importante no Ruby: Heap Overfl...

ruby-lang.org 08 Apr '14, 8am

Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525) There is an overflow in URI escape parsing of YAML in Ruby. This ...

YAML の URI エスケープ処理におけるヒープオーバーフローについて (CVE-2014-...

ruby-lang.org 30 Mar '14, 3am

YAML の URI エスケープ処理におけるヒープオーバーフローについて (CVE-2014-2525) Ruby の URI エスケープ処理にオーバーフロー問題があります。 この脆弱性は CVE 識別番号 CVE-2014-2525 に割り当...

Parsing Coffee Buzzwords

sprudge.com 02 Apr '14, 6pm

At least “Fair Trade” has standards bodies to make it a little more specific. Direct Trade is far more nebulous. It starte...