mlte.de

Compile Ruby 2.1.1 with libyaml on CentOS

Compiling libyaml 1.0.6

To fix the Ruby security issue "Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)" you need to make sure that your Ruby installation uses libyaml version 1.0.6 or later. To test the used libyaml version one can use

$ ruby -rpsych -e "puts Psych.libyaml_version.join('.')"

The parameter -r requires a library and -e runs the given command which in this case displays the libyaml version in human readable format.

To update libyaml on CentOS at the time writing you cannot use yum as the version in yum is still only 0.1.5 We therefore uninstall the yum packages libyaml and libyaml-devel:

$ yum remove libyaml

We the download libyaml from the official website, extract it, build it and install it.

$ wget http://pyyaml.org/download/libyaml/yaml-0.1.6.tar.gz
$ tar xzvf yaml-0.1.6.tar.gz
$ cd yaml-0.1.6
$ ./configure --prefix=/usr
$ make
$ make install

This will install the libyaml library into /usr/lib/ and the headers into /usr/include. At least on my machine the yum package installed the library into /usr/lib64 which means I had to run

$ ldconfig -v

to update the path to the shared library. It should oputput something like this:

.../usr/lib:
libyaml-0.so.2-> libyaml.so
...

Now we can compile Ruby as usual. (Actually I'm not quite sure if you really need to compile Ruby against the new version of libyaml. In my little test it worked already already just by replacing the shared library.)

Compiling Ruby 2.1.2

To compile Ruby manually we need to install some dependencies first. On CentOS this can be done using the package manager as follows.

yum install gcc openssl-devel readline-devel zlib-devel

libyaml-devel is not contained in this list as we installed it manually in the above section.

We download ruby from the official website, extract it, build it and install it.

$ wget http://ftp.ruby-lang.org/pub/ruby/ruby-2.1.2.tar.gz
$ tar xzvf ruby-2.1.2.tar.gz
$ cd ruby-2.1.2
$ ./configure --prefix=/usr/local/ruby-2.1.2
$ make
$ make install

For easier maintenance I chose to create a symbolic link and add it to the systems path instead of direclty adding the directory containung the just installed Ruby to the path. This way it is easier to install another version of Ruby and switch the versions if you are updating Ruby and want to test if everything works fine with the never version.

$ cd /usr/local
$ ln -s ruby-2.1.2 ruby

Finally we need to add ruby to the path. We therefore create a ruby.sh in the /etc/profile.d directory which adds Ruby to the path.

$ echo pathmunge /usr/local/ruby/bin > ruby.sh

No log back in and run

$ ruby -v

to check if everything is working fine. Instead of logging back in, you could reload the profile:

$ . /etc/profile

This will update the $PATH variable.

You can check if OpenSSL, Zlib and Readline are actually available using the following command.

ruby -ropenssl -rzlib -rreadline -e "puts :success"

Source

This description is mainly based on the article Install Ruby 1.9.3 with libyaml on CentOS by Brian Ryckbost which is a little bit outdated but still valid.