Project

General

Profile

Actions
Copy link

Backport #9482

closed

backport r44809 and r44811

Added by hsbt (Hiroshi SHIBATA) about 10 years ago. Updated about 10 years ago.

Status:
Closed
Assignee:
naruse (Yui NARUSE)
[ruby-core:60452]

Description

ref. CVE-2013-6393

Actions
Copy link
 #1 [ruby-core:60459]

Updated by naruse (Yui NARUSE) about 10 years ago

  • Status changed from Open to Rejected

The fix seems half-baked

Actions
Copy link
 #2 [ruby-core:60546]

Updated by postmodern (Hal Brodigan) about 10 years ago

The short-term solution would be to backport the updates to psych's vendored libyaml 0.1.4. The long-term solution is to cease vendoring libyaml and compile against the system's libyaml. Eitherway, I prefer that Ruby does not ship with vulnerable code. ;)

Actions
Copy link
 #3 [ruby-core:60624]

Updated by nagachika (Tomoyuki Chikanaga) about 10 years ago

Just for reference, There are following changesets, r44813, r44815, r44816, r44817 and r44818.

Actions
Copy link
 #4 [ruby-core:60717]

Updated by naruse (Yui NARUSE) about 10 years ago

  • Status changed from Rejected to Assigned
Actions
Copy link
 #6 [ruby-core:61043]

Updated by naruse (Yui NARUSE) about 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r45160.

merge revision(s) 44809,44811,44813,44815,44816,44817,44818,44918,45003: [Backport #9482]

* ext/psych/yaml/emitter.c: merge libyaml 0.1.5

* ext/psych/yaml/loader.c: ditto

* ext/psych/yaml/parser.c: ditto

* ext/psych/yaml/reader.c: ditto

* ext/psych/yaml/scanner.c: ditto

* ext/psych/yaml/writer.c: ditto

* ext/psych/yaml/yaml_private.h: ditto

* ext/psych/lib/psych.rb: New release of psych.

* ext/psych/psych.gemspec: ditto
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0