Backported Syck Patch for 1.8.6 to Guard Against Buffer Overflows #667

Merged
merged 1 commit into from Dec 28, 2011

Conversation

Projects
None yet
2 participants
Contributor

jcsalterego commented Dec 28, 2011

This commit introduces a Ruby patch for 1.8.6 backported from 1.8.7, which fixes a buffer overflow caused by the YAML library syck:

Tue Apr 15 23:40:39 2008  Akinori MUSHA  <knu@iDaemons.org>
    * ext/syck/rubyext.c (rb_syck_mktime): Avoid buffer overflow.

As gem installations have embedded metadata.gz files, which are compressed YAML files, when config files are formed in a way to trigger the buffer overflow, ruby (and thus gem installations) crash hard.

As an isolated example, with a stock 1.8.6-p420 installation with rvm:

$ tar xfv /usr/local/rvm/gems/ruby-1.8.6-p420/cache/json-1.6.4.gem
data.tar.gz
tar: data.tar.gz: implausibly old time stamp 1970-01-01 00:00:00
metadata.gz
tar: metadata.gz: implausibly old time stamp 1970-01-01 00:00:00
$ gunzip metadata.gz 
$ irb
1.8.6-p420 :001 > require 'yaml'
 => true 
1.8.6-p420 :002 > YAML::load_file 'metadata'
*** buffer overflow detected ***: irb terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7fefb17b61d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x7fefb17b50f0]
/usr/local/rvm/rubies/ruby-1.8.6-p420/lib/ruby/1.8/x86_64-linux/syck.so(rb_syck_mktime+0x4b1)[0x7fefb09fe031]
<snip>

Related literature:

Thanks!

@jcsalterego jcsalterego Backport from 1.8.7 for 1.8.6: ext/syck/rubyext.c (rb_syck_mktime): A…
…void buffer overflow. [ruby_1_8@16044]

Originally:
Tue Apr 15 23:40:39 2008  Akinori MUSHA  <knu@iDaemons.org>
    * ext/syck/rubyext.c (rb_syck_mktime): Avoid buffer overflow.
352e109

@mpapis mpapis added a commit that referenced this pull request Dec 28, 2011

@mpapis mpapis Merge pull request #667 from appozite/1.10.0-syck
Backported Syck Patch for 1.8.6 to Guard Against Buffer Overflows
7fdad69

@mpapis mpapis merged commit 7fdad69 into rvm:master Dec 28, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment