| require "set" |
| |
| module SafeYAML |
| class LibyamlChecker |
| LIBYAML_VERSION = Psych::LIBYAML_VERSION rescue nil |
| |
| # Do proper version comparison (e.g. so 0.1.10 is >= 0.1.6) |
| SAFE_LIBYAML_VERSION = Gem::Version.new("0.1.6") |
| |
| KNOWN_PATCHED_LIBYAML_VERSIONS = Set.new([ |
| # http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2525.html |
| "0.1.4-2ubuntu0.12.04.3", |
| "0.1.4-2ubuntu0.12.10.3", |
| "0.1.4-2ubuntu0.13.10.3", |
| "0.1.4-3ubuntu3", |
| |
| # https://security-tracker.debian.org/tracker/CVE-2014-2525 |
| "0.1.3-1+deb6u4", |
| "0.1.4-2+deb7u4", |
| "0.1.4-3.2" |
| ]).freeze |
| |
| def self.libyaml_version_ok? |
| return true if YAML_ENGINE != "psych" || defined?(JRUBY_VERSION) |
| return true if Gem::Version.new(LIBYAML_VERSION || "0") >= SAFE_LIBYAML_VERSION |
| return libyaml_patched? |
| end |
| |
| def self.libyaml_patched? |
| return false if (`which dpkg` rescue '').empty? |
| libyaml_version = `dpkg -s libyaml-0-2`.match(/^Version: (.*)$/) |
| return false if libyaml_version.nil? |
| KNOWN_PATCHED_LIBYAML_VERSIONS.include?(libyaml_version[1]) |
| end |
| end |
| end |