Backport #9482

backport r44809 and r44811

Added by hsbt (Hiroshi SHIBATA) about 6 years ago. Updated almost 6 years ago.



Updated by naruse (Yui NARUSE) about 6 years ago

  • Status changed from Open to Rejected

The fix seems half-baked

Updated by postmodern (Hal Brodigan) about 6 years ago

The short-term solution would be to backport the updates to psych's vendored libyaml 0.1.4. The long-term solution is to cease vendoring libyaml and compile against the system's libyaml. Eitherway, I prefer that Ruby does not ship with vulnerable code. ;)

Updated by nagachika (Tomoyuki Chikanaga) about 6 years ago

Just for reference, There are following changesets, r44813, r44815, r44816, r44817 and r44818.

Updated by naruse (Yui NARUSE) about 6 years ago

  • Status changed from Rejected to Assigned

Updated by naruse (Yui NARUSE) almost 6 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r45160.

merge revision(s) 44809,44811,44813,44815,44816,44817,44818,44918,45003: [Backport #9482]

* ext/psych/yaml/emitter.c: merge libyaml 0.1.5

* ext/psych/yaml/loader.c: ditto

* ext/psych/yaml/parser.c: ditto

* ext/psych/yaml/reader.c: ditto

* ext/psych/yaml/scanner.c: ditto

* ext/psych/yaml/writer.c: ditto

* ext/psych/yaml/yaml_private.h: ditto

* ext/psych/lib/psych.rb: New release of psych.

* ext/psych/psych.gemspec: ditto

Also available in: Atom PDF