safe_yaml 1.0.2 warning

[XhmikosR]

I'm using Jekyll v1.5.1 and after today's safe_yaml update I get

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\xmr\Desktop>ruby -v && jekyll -v
ruby 1.9.3p484 (2013-11-22) [i386-mingw32]

  <[33mSafeYAML Warning<[39m
  <[33m----------------<[39m

  <[31mYou appear to have an outdated version of libyaml (0.1.4) installed on your system.<[39m

  Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.

  For more info, see:
  https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/

  The easiest thing to do right now is probably to update Psych to the latest version and enable
  the 'bundled-libyaml' option, which will install a vendored libyaml with the vulnerability patched:

  <[32mgem install psych -- --enable-bundled-libyaml<[39m


jekyll 1.5.1

C:\Users\xmr\Desktop>

I did install psych like the error message says but I still get that warning every time I run jekyll.

[parkr]

This is consistent with the new release's handling of CVE-2014-2525 (see dtao/safe_yaml#56). You need to re-install libyaml to 0.1.6 and (possibly) reinstall your Ruby.

/cc @dtao

[XhmikosR]

Well, nothing works for me. I even re-installed Ruby and everything and I still get that warning when running Jekyll.

[parkr]

That's super weird. Can you comment on the safe_yaml issue I linked to above? I believe it would be beneficial – I certainly don't want these noisy warnings if there is nothing to fear. You re-installed libyaml and everything? Hm.

[XhmikosR]

I did install everything from scratch after deleting my Ruby folder and everything.

I also did gem install psych -- --enable-bundled-libyaml like the warning suggests.

C:\Users\xmr\Desktop>gem install psych -- --enable-bundled-libyaml
Fetching: psych-2.0.5.gem (100%)
Temporarily enhancing PATH to include DevKit...
Building native extensions with: '--enable-bundled-libyaml'
This could take a while...
Successfully installed psych-2.0.5
Parsing documentation for psych-2.0.5
Installing ri documentation for psych-2.0.5
Done installing documentation for psych after 2 seconds
1 gem installed

[boyanpenkov]

Yep, I see this as well. Reinstalling psych doesn't clear it. Suggestions on what to test?

I'm running: ruby 2.1.0p0 (2013-12-25 revision 44422) and jekyll [x86_64-darwin12.0]

[boyanpenkov]

After some screwing around,

rvm reinstall all --force

fixed it. Now the right libyaml is read.

[dtao]

This is honestly a bit of an unfortunate mess, which I haven't fully figured out yet.

If you're using RVM, it seems updating the psych gem affects the current Ruby, which fixes the problem, unless you're using Bundler, in which case you also need to add gem 'psych', '>= 2.0.5' to your Gemfile.

If you have Ruby installed system-wide, on the other hand, I'm not sure updating the psych gem accomplishes anything. I could be wrong about that. However, if you're using Ubuntu, updating the libyaml-0-2 package introduces a backported fix which SafeYAML won't detect (see dtao/safe_yaml#57).

My understanding is that if you are using the latest version of RVM, the new autolibs feature will compile Ruby with the libyaml fix for you (hence the fix that @boyanpenkov just mentioned). I could be wrong about that, too.

What I just wrote is basically the sum of my rough memory of little spats of troubleshooting I've had time to put in here and there over the past couple days. It could be inaccurate in the details; but what I am confident about is that there are unfortunate inconsistencies in how to resolve this issue between systems. This is something I obviously need to figure out and fix (by providing a more helpful warning message, where appropriate) in the near future.

The good news is that for now, if you just want to get rid of the warning, it's quite easy: require safe_yaml 1.0.1 instead of 1.0.2. The two should be functionally equivalent except for this warning.

[boyanpenkov]

@dtao , I concur with this -- my confusion arose from the fact that I had two version of psych installed (2.0.5 and 2.0.2) and jekyll was reading the wrong one.

Reinstalling the whole thing did stop the warning from coming up, but I'm confused as to how it solved the problem. Still, I'm fine running my setup as is.

Thanks for your help!

[XhmikosR]

@dtao: I'm on Windows and I don't use rvm myself so psych has no effect...

@parkr: please don't close this issue just yet; it's directly related to Jekyll being that it requires people to change the require in jekyll itself.

[parkr]

please don't close this issue just yet; it's directly related to Jekyll being that it requires people to change the require in jekyll itself.

It seems to be a safe_yaml issue to me – I don't think we'd restrict to 1.0.1 in a new release because this warning has value. We can use this issue to track the safe_yaml troubles people have.

[RobertKenny]

I had this problem as well, after chatting with the RVM people on IRC they suggested rvm reinstall 2.1.1 --disable-binary I then reinstalled Jekyll and everything is working.

[XhmikosR]

So everyone solves the issue with rvm. But what about people without rvm? I re-installed everything but I still get the warning myself.

I think the only workaround for me is this:

gem uninstall safe_yaml
gem install safe_yaml -v "=1.0.1"

The problem is that with a gem update I'll end up with safe_yaml 1.0.2 again. Can't this be solved properly upstream somehow?

[fabianrbz]

what are you using to install ruby?

[XhmikosR]

@fabianrbz: I use Railsinstaller.

[mscharley]

This isn't solvable on Windows it seems for the time being, short of compiling Ruby yourself (something that rvm makes very easy to do... on Linux.). Both RailsInstaller and the RubyInstaller packages are precompiled. Keep an eye out for an updated version of Ruby and it should hopefully resolve itself when the next patchlevel release is made.

[mscharley]

@XhmikosR regarding your concerns about gem update, my best suggestion is to start using and loving Bundler. That'll solve that problem straight up.

[XhmikosR]

@mscharley: I don't feel that that is a solution for me. The fact is that before safe_yaml v1.0.2, I had no issues; I don't see why I'd need to change the way I use packages instead of having this fixed upstream.

As for Railsinstaller, I don't see how it's even related; it doesn't ship safe_yaml... safe_yaml is installed when I install Jekyll on my system.

[mscharley]

@XhmikosR it doesn't ship safe_yaml, it does ship the C YAML library that safe_yaml uses however which is where the issue actually is. Not sure why, but the vendored version doesn't seem to work for me either (using RubyInstaller).

[XhmikosR]

OK, that makes sense then. So what we need is a new Ruby version and after that a new Railsinstaller version. I already made a PR for the updated libraries, but there's no patched 1.9.3 Ruby version. I only find v1_9_3_545.

[XhmikosR]

This seems fixed in safe_yaml 1.0.3, thanks @dtao!

[simonsarris]

Confirmed fixed in windows by installing safe_yaml (gem install safe_yaml)

[imvman]

Thanks all. It works.