Install libyaml 0.1.5 for 2.x rubies also

This should plug the vulnerability to CVE-2013-6393 (and fix #504) that can still occur in certain systems: If the ruby build process couldn't find a libyaml that worked, it would build its own vendored libyaml, which was 0.1.4 (and is vulnerable). Instead, specify that the build always should install the latest libyaml & build against that.
2025-10-23 06:10:32 +02:00 · 2014-02-07 15:41:03 -08:00 · 2014-02-07 15:41:03 -08:00 · 45067e752f
commit 45067e752f
parent 26372ad82a
13 changed files with 13 additions and 0 deletions
--- a/share/ruby-build/2.1.0
+++ b/share/ruby-build/2.1.0
@ -1,2 +1,3 @@
+install_package "yaml-0.1.5" "http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz#24f6093c1e840ca5df2eb09291a1dbf1" --if needs_yaml
 install_package "openssl-1.0.1e" "https://www.openssl.org/source/openssl-1.0.1e.tar.gz#66bf6f10f060d561929de96f9dfe5b8c" mac_openssl --if has_broken_mac_openssl
 install_package "ruby-2.1.0" "http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.0.tar.gz#9e6386d53f5200a3e7069107405b93f7" ldflags_dirs standard verify_openssl