gem install yajl-ruby on RHEL5 causes buffer overflow

[auxesis]

This was originally reported to me on auxesis/visage#84:

auxesis/visage#84 (comment)

# gem install -V yajl-ruby
GET 302 Found: http://gems.rubyforge.org/latest_specs.4.8.gz
GET 200 OK: http://production.s3.rubygems.org/latest_specs.4.8.gz
Installing gem yajl-ruby-1.0.0
*** buffer overflow detected ***: /usr/bin/ruby terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x30676e807f]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(rb_syck_mktime+0x48e)[0x2b61b44e698e]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(yaml_org_handler+0x860)[0x2b61b44e72a0]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_defaultresolver_node_import+0x39)[0x2b61b44e74a9]
/usr/lib64/libruby.so.1.8[0x306823492e]
/usr/lib64/libruby.so.1.8[0x3068234e48]
/usr/lib64/libruby.so.1.8[0x30682353f2]
/usr/lib64/libruby.so.1.8(rb_funcall+0x85)[0x30682356c5]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(rb_syck_load_handler+0x47)[0x2b61b44e6437]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_hdlr_add_node+0x39)[0x2b61b44e1839]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syckparse+0xb45)[0x2b61b44e2605]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_parse+0x19)[0x2b61b44ead29]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_parser_load+0xed)[0x2b61b44e62ad]
/usr/lib64/libruby.so.1.8[0x306823492e]
/usr/lib64/libruby.so.1.8[0x3068234e48]
/usr/lib64/libruby.so.1.8[0x306823bbc6]
/usr/lib64/libruby.so.1.8[0x306823afb5]
<snip>

I don't have a system to test, but I guess @slyall, @ccelebi or @Elwell maybe able to help out.

[brianmario]

Testing a gem install with -V locally shows the install appear to take these steps:

1. check for and or download http://production.s3.rubygems.org/latest_specs.4.8.gz
2. list the files in the gem (I assume this is just a verbose unpack of the gem)
3. "Building native extensions. This could take a while..."
4. show the path to extconf.rb
5. "creating Makefile"
6. output from make here
7. output from make install here
8. "1 gem installed"

Based on that, and looking at the output I assume things are bombing before or during step 2 in the process. Are either of you able to install the gem manually?

IE: download https://rubygems.org/downloads/yajl-ruby-1.0.0.gem then run gem install -V yajl-ruby-1.0.0.gem

If that bombs in the same spot, it seems to point to a buggy tar implementation? Or possibly a corrupt .gem file? Definitely curious what the results of a "manual" install are.

Next step if that fails, is to clone down the repo and try building it yourself via:

1. clone the repo
2. cd into the repo, then run bundle install vendor/gems --binstubs
3. run bin/rake compile

If that works, there's definitely something strange with the gem file or the tar executable itself.

Let me know what you find.

[slyall]

Downloaded and tried a local install with same result:

$ md5sum yajl-ruby-1.0.0.gem
44c2c3d2f33c312cdf4afc234722bfd7 yajl-ruby-1.0.0.gem

$ gem install -V yajl-ruby-1.0.0.gem
*** buffer overflow detected ***: /usr/bin/ruby terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x30676e807f]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(rb_syck_mktime+0x48e)[0x2ab9a73d498e]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(yaml_org_handler+0x860)[0x2ab9a73d52a0]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_defaultresolver_node_import+0x39)[0x2ab9a73d54a9]
/usr/lib64/libruby.so.1.8[0x306823492e]
/usr/lib64/libruby.so.1.8[0x3068234e48]
/usr/lib64/libruby.so.1.8[0x30682353f2]
/usr/lib64/libruby.so.1.8(rb_funcall+0x85)[0x30682356c5]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(rb_syck_load_handler+0x47)[0x2ab9a73d4437]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_hdlr_add_node+0x39)[0x2ab9a73cf839]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syckparse+0xb45)[0x2ab9a73d0605]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_parse+0x19)[0x2ab9a73d8d29]
/usr/lib64/ruby/1.8/x86_64-linux/syck.so(syck_parser_load+0xed)[0x2ab9a73d42ad]

etc...

I have to go home now but I'll try the next step tomorrow if nobody has done in the interum.

FYI:

$ rpm -qa | grep ruby
ruby-irb-1.8.5-19.el5_6.1
rubygems-1.3.1-1.el5
rubygem-daemon_controller-0.2.5-1
ruby-libs-1.8.5-19.el5_6.1
ruby-rdoc-1.8.5-19.el5_6.1
rubygem-fastthread-1.0.7-1.el5
rubygem-rack-1.1.0-2.el5
rubygem-passenger-3.0.9-1.el5
rubygem-passenger-native-libs-3.0.9-1.el5_1.8.5
ruby-RRDtool-0.6.0-6.el5
ruby-augeas-0.3.0-1.el5
ruby-shadow-1.4.1-7.el5
ruby-1.8.5-19.el5_6.1
libselinux-ruby-1.33.4-5.7.el5
rubygem-rake-0.8.7-2.el5
rubygem-passenger-native-3.0.9-1.el5

[brianmario]

Just noticed Ruby 1.8.5, forgot that ships with RHEL/CentOS... I thought I'd put it in the gemspec (just updated it) but yajl-ruby 1.0 should have required ruby 1.8.6 or higher. According to the latest version of ruby 1.8.5 (p231?) was released back in summer of 2008. I highly recommend upgrading to at least 1.8.7.

[brianmario]

Just shipped yajl-ruby 1.1.0 which now requires ruby 1.8.6 or higher, give that a try and let me know if you have any issues

[slyall]

Okay, the box is in Prod so it might be easier to install with RHEL/Centos 6 which has Ruby 1.8.7 rather than hacking in some backported version.

This will probably take me a while to arrange, I'll reopen/new ticket if problems on RHEL6

[brianmario]

ruby enterprise also has rpms I think, which is based on 1.8.7

On Nov 9, 2011, at 4:17 PM, Simon Lyallreply@reply.github.com wrote:

Okay, the box is in Prod so it might be easier to install with RHEL/Centos 6 which has Ruby 1.8.7 rather than hacking in some backported version.

This will probably take me a while to arrange, I'll reopen/new ticket if problems on RHEL6

---

Reply to this email directly or view it on GitHub:
#89 (comment)

[auxesis]

+1 to REE, I've done that before with great success:

Endpoint provide solid packages for RHEL5.