Ubuntu
ruby2.0 package

2.0.0.484-1ubuntu2.10 triggers uninitialized constant Gem::SafeYAML on calling gem2.0 install

Bug #1777174 reported by Andy Edwards
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ruby2.0 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

# Summary
Our Docker builds have just started failing as soon as 2.0.0.484-1ubuntu2.10 was released. Whenever we call "gem2.0 install {some package}", we get an error saying "uninitialized constant Gem::SafeYAML"

# Required Info

1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
Description: Ubuntu 14.04.3 LTS
Release: 14.04

2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
ruby2.0:
  Installed: 2.0.0.484-1ubuntu2.10
  Candidate: 2.0.0.484-1ubuntu2.10
  Version table:
 *** 2.0.0.484-1ubuntu2.10 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.0.0.484-1ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

3) What you expected to happen
"gem install rubygems-update" to work

4) What happened instead
We see the error below
ERROR: While executing gem ... (NameError)
    uninitialized constant Gem::SafeYAML

# Recreate:
To recreate, take the following Dockerfile and try to build the image:

-----------
FROM ubuntu:trusty
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y install ruby2.0 ruby2.0-dev
RUN gem2.0 install rubygems-update
-----------

This produces the following output:

-----------
Sending build context to Docker daemon 2.048kB
Step 1/4 : FROM ubuntu:trusty
 ---> 38c759202e30
Step 2/4 : ENV DEBIAN_FRONTEND noninteractive
 ---> Running in fb4736ccbcfe
Removing intermediate container fb4736ccbcfe
 ---> 8d3ab112c945
Step 3/4 : RUN apt-get update && apt-get -y install ruby2.0 ruby2.0-dev
 ---> Running in 17e525082f30
Ign http://archive.ubuntu.com trusty InRelease
Get:1 http://archive.ubuntu.com trusty-updates InRelease [65.9 kB]
Get:2 http://archive.ubuntu.com trusty-security InRelease [65.9 kB]
Get:3 http://archive.ubuntu.com trusty Release.gpg [933 B]
Get:4 http://archive.ubuntu.com trusty Release [58.5 kB]
Get:5 http://archive.ubuntu.com trusty-updates/main Sources [514 kB]
Get:6 http://archive.ubuntu.com trusty-updates/restricted Sources [6449 B]
Get:7 http://archive.ubuntu.com trusty-updates/universe Sources [253 kB]
Get:8 http://archive.ubuntu.com trusty-updates/main amd64 Packages [1348 kB]
Get:9 http://archive.ubuntu.com trusty-updates/restricted amd64 Packages [21.4 kB]
Get:10 http://archive.ubuntu.com trusty-updates/universe amd64 Packages [587 kB]
Get:11 http://archive.ubuntu.com trusty-security/main Sources [199 kB]
Get:12 http://archive.ubuntu.com trusty-security/restricted Sources [5050 B]
Get:13 http://archive.ubuntu.com trusty-security/universe Sources [88.9 kB]
Get:14 http://archive.ubuntu.com trusty-security/main amd64 Packages [924 kB]
Get:15 http://archive.ubuntu.com trusty-security/restricted amd64 Packages [18.1 kB]
Get:16 http://archive.ubuntu.com trusty-security/universe amd64 Packages [292 kB]
Get:17 http://archive.ubuntu.com trusty/main Sources [1335 kB]
Get:18 http://archive.ubuntu.com trusty/restricted Sources [5335 B]
Get:19 http://archive.ubuntu.com trusty/universe Sources [7926 kB]
Get:20 http://archive.ubuntu.com trusty/main amd64 Packages [1743 kB]
Get:21 http://archive.ubuntu.com trusty/restricted amd64 Packages [16.0 kB]
Get:22 http://archive.ubuntu.com trusty/universe amd64 Packages [7589 kB]
Fetched 23.1 MB in 6s (3333 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  ca-certificates libjs-jquery libruby1.9.1 libruby2.0 libyaml-0-2 openssl
  ruby ruby1.9.1 rubygems-integration
Suggested packages:
  javascript-common ri ruby-dev ruby1.9.1-examples ri1.9.1 graphviz
  ruby1.9.1-dev ruby-switch bundler
The following NEW packages will be installed:
  ca-certificates libjs-jquery libruby1.9.1 libruby2.0 libyaml-0-2 openssl
  ruby ruby1.9.1 ruby2.0 ruby2.0-dev rubygems-integration
0 upgraded, 11 newly installed, 0 to remove and 73 not upgraded.
Need to get 7268 kB of archives.
After this operation, 32.5 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-updates/main libyaml-0-2 amd64 0.1.4-3ubuntu3.1 [48.1 kB]
Get:2 http://archive.ubuntu.com/ubuntu/ trusty-updates/main openssl amd64 1.0.1f-1ubuntu2.25 [490 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ trusty-updates/main ca-certificates all 20170717~14.04.1 [167 kB]
Get:4 http://archive.ubuntu.com/ubuntu/ trusty/main libjs-jquery all 1.7.2+dfsg-2ubuntu1 [78.8 kB]
Get:5 http://archive.ubuntu.com/ubuntu/ trusty/main ruby all 1:1.9.3.4 [5334 B]
Get:6 http://archive.ubuntu.com/ubuntu/ trusty-updates/main ruby1.9.1 amd64 1.9.3.484-2ubuntu1.12 [35.7 kB]
Get:7 http://archive.ubuntu.com/ubuntu/ trusty-updates/main libruby1.9.1 amd64 1.9.3.484-2ubuntu1.12 [2651 kB]
Get:8 http://archive.ubuntu.com/ubuntu/ trusty-updates/main libruby2.0 amd64 2.0.0.484-1ubuntu2.10 [2813 kB]
Get:9 http://archive.ubuntu.com/ubuntu/ trusty-updates/main ruby2.0 amd64 2.0.0.484-1ubuntu2.10 [66.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu/ trusty/main rubygems-integration all 1.5 [5340 B]
Get:11 http://archive.ubuntu.com/ubuntu/ trusty-updates/main ruby2.0-dev amd64 2.0.0.484-1ubuntu2.10 [907 kB]
Preconfiguring packages ...
Fetched 7268 kB in 0s (9095 kB/s)
Selecting previously unselected package libyaml-0-2:amd64.
(Reading database ... 11558 files and directories currently installed.)
Preparing to unpack .../libyaml-0-2_0.1.4-3ubuntu3.1_amd64.deb ...
Unpacking libyaml-0-2:amd64 (0.1.4-3ubuntu3.1) ...
Selecting previously unselected package openssl.
Preparing to unpack .../openssl_1.0.1f-1ubuntu2.25_amd64.deb ...
Unpacking openssl (1.0.1f-1ubuntu2.25) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../ca-certificates_20170717~14.04.1_all.deb ...
Unpacking ca-certificates (20170717~14.04.1) ...
Selecting previously unselected package libjs-jquery.
Preparing to unpack .../libjs-jquery_1.7.2+dfsg-2ubuntu1_all.deb ...
Unpacking libjs-jquery (1.7.2+dfsg-2ubuntu1) ...
Selecting previously unselected package ruby.
Preparing to unpack .../ruby_1%3a1.9.3.4_all.deb ...
Unpacking ruby (1:1.9.3.4) ...
Selecting previously unselected package ruby1.9.1.
Preparing to unpack .../ruby1.9.1_1.9.3.484-2ubuntu1.12_amd64.deb ...
Unpacking ruby1.9.1 (1.9.3.484-2ubuntu1.12) ...
Selecting previously unselected package libruby1.9.1.
Preparing to unpack .../libruby1.9.1_1.9.3.484-2ubuntu1.12_amd64.deb ...
Unpacking libruby1.9.1 (1.9.3.484-2ubuntu1.12) ...
Selecting previously unselected package libruby2.0:amd64.
Preparing to unpack .../libruby2.0_2.0.0.484-1ubuntu2.10_amd64.deb ...
Unpacking libruby2.0:amd64 (2.0.0.484-1ubuntu2.10) ...
Selecting previously unselected package ruby2.0.
Preparing to unpack .../ruby2.0_2.0.0.484-1ubuntu2.10_amd64.deb ...
Unpacking ruby2.0 (2.0.0.484-1ubuntu2.10) ...
Selecting previously unselected package rubygems-integration.
Preparing to unpack .../rubygems-integration_1.5_all.deb ...
Unpacking rubygems-integration (1.5) ...
Selecting previously unselected package ruby2.0-dev:amd64.
Preparing to unpack .../ruby2.0-dev_2.0.0.484-1ubuntu2.10_amd64.deb ...
Unpacking ruby2.0-dev:amd64 (2.0.0.484-1ubuntu2.10) ...
Setting up libyaml-0-2:amd64 (0.1.4-3ubuntu3.1) ...
Setting up openssl (1.0.1f-1ubuntu2.25) ...
Setting up ca-certificates (20170717~14.04.1) ...
Setting up libjs-jquery (1.7.2+dfsg-2ubuntu1) ...
Setting up ruby2.0-dev:amd64 (2.0.0.484-1ubuntu2.10) ...
Setting up ruby (1:1.9.3.4) ...
Setting up ruby1.9.1 (1.9.3.484-2ubuntu1.12) ...
Setting up libruby1.9.1 (1.9.3.484-2ubuntu1.12) ...
Setting up rubygems-integration (1.5) ...
Setting up ruby2.0 (2.0.0.484-1ubuntu2.10) ...
Setting up libruby2.0:amd64 (2.0.0.484-1ubuntu2.10) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
Processing triggers for ca-certificates (20170717~14.04.1) ...
Updating certificates in /etc/ssl/certs... 148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
Removing intermediate container 17e525082f30
 ---> ba9cb1254920
Step 4/4 : RUN gem2.0 install rubygems-update
 ---> Running in ba4460591130
ERROR: While executing gem ... (NameError)
    uninitialized constant Gem::SafeYAML
The command '/bin/sh -c gem2.0 install rubygems-update' returned a non-zero code: 1
-----------

It doesn't seem to matter what package we try to install, there is always an error.

We have build logs showing that this worked fine with 2.0.0.484-1ubuntu2.9.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ruby2.0 (Ubuntu):
status: New → Confirmed
Revision history for this message
Nick Griffiths (nicobrevin) wrote :

Also affected - gem2.0 is totally stuffed with this. It seems like if your system didn't already have a recent version of psych installed before the upgrade (maybe) then you can't use it...

I tried using the safe_yaml that seems to be bundled with ruby (or perhaps it was pre-installed?), but that fails to...

ruby2.0 -r safe_yaml -r rubygems/safe_yaml -S gem install psych --version 2.0.17 --backtrace
ERROR: While executing gem ... (ArgumentError)
    wrong number of arguments (4 for 1..3)
 /usr/lib/ruby/vendor_ruby/safe_yaml/load.rb:136:in `load'
 /usr/lib/ruby/vendor_ruby/safe_yaml.rb:29:in `safe_load'
 /usr/lib/ruby/2.0.0/rubygems/safe_yaml.rb:31:in `safe_load'
 /usr/lib/ruby/2.0.0/rubygems/package.rb:445:in `block (2 levels) in read_checksums'
 /usr/lib/ruby/2.0.0/rubygems/package.rb:444:in `wrap'
 /usr/lib/ruby/2.0.0/rubygems/package.rb:444:in `block in read_checksums'

Revision history for this message
Nick Griffiths (nicobrevin) wrote :

I have a workaround - I downgraded to the previous version:

apt-get install ruby2.0=2.0.0.484-1ubuntu2 libruby2.0=2.0.0.484-1ubuntu2
ruby2.0 -S gem install psych --version 2.0.17
apt-get install ruby2.0
ruby2.0 -S gem -r yaml -r rubygems/safe_yaml install $whatever

Revision history for this message
Nick Griffiths (nicobrevin) wrote :

I meant to say I temporarily rolled back, installed psych, then upgraded back to the secure version again.

Revision history for this message
Nick Griffiths (nicobrevin) wrote :

If it's of use to anyone else, I had a broken build due to bundler choking on this error - I edited my /usr/local/bin/bundle and added:

--- bundle 2018-06-20 16:07:50.742507869 +1200
+++ /usr/local/bin/bundle 2018-06-20 16:05:45.021007716 +1200
@@ -7,6 +7,8 @@
 #

 require 'rubygems'
+require 'yaml'
+require 'rubygems/safe_yaml'

 version = ">= 0"

Revision history for this message
Nick Griffiths (nicobrevin) wrote :

Here's a version of andy edwards' Dockerfile which applies my workaround:

---
FROM ubuntu:trusty
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y install ruby2.0=2.0.0.484-1ubuntu2 libruby2.0=2.0.0.484-1ubuntu2 libffi-dev ruby2.0-dev build-essential
RUN ruby2.0 -S gem install psych --version 2.0.17
RUN apt-get -y install ruby2.0 libruby2.0
RUN ruby2.0 -r yaml -r rubygems/safe_yaml -S gem2.0 install rubygems-update
---

Revision history for this message
Philip Davies (bb-phildavies) wrote :

We getting the same issues, but the work around isn't working. when we try to do

ruby2.0 -S gem install psych --version 2.0.17

We get:

ruby2.0 -S gem install psych --version 2.0.17
Fetching: psych-2.0.17.gem (100%)
Building native extensions. This could take a while...
ERROR: Error installing psych:
 ERROR: Failed to build gem native extension.

    /usr/bin/ruby2.0 extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/include/ruby.h

Gem files will remain installed in /var/lib/gems/2.0.0/gems/psych-2.0.17 for inspection.
Results logged to /var/lib/gems/2.0.0/gems/psych-2.0.17/ext/psych/gem_make.out

Revision history for this message
Philip Davies (bb-phildavies) wrote :

Sorry scrap that, forgot to do apt-get update.

Once I did the update and run the workaround I still get issues doing gem2 update

/usr/bin/gem2 update
Updating installed gems
Updating bigdecimal
ERROR: While executing gem ... (NameError)
    uninitialized constant Gem::SafeYAML

Revision history for this message
Nick Griffiths (nicobrevin) wrote :

Hi Philip,

The workaround comes in two parts:

First you rollback to ruby2.0 2.0.0.484-1ubuntu2 and install psych 2.0.17 - this will require build-essential libffi-dev and ruby2.0-dev (as per dockerfile). At this point you can reinstall the security fix

The second part, which is awful, is you have to make sure any gem commands are run with:

ruby2.0 -r yaml -r rubygems/safe_yaml -S gem

I've just rechecked building that dockerfile from scratch and it all looks good my end, so maybe go over it a bit more carefully and see if you've missed something from the steps.

Revision history for this message
Philip Davies (bb-phildavies) wrote :

Hey Nick,

Ah ok, so thats a bit painful as means till this is fix we'll need to go through our puppet code and re-write a whole heap to run ruby2.0 -r yaml -r rubygems/safe_yaml -S gem instead of the puppet way :(

Thanks

Phil

Revision history for this message
Nick Griffiths (nicobrevin) wrote : Re: [Bug 1777174] Re: 2.0.0.484-1ubuntu2.10 triggers uninitialized constant Gem::SafeYAML on calling gem2.0 install
Download full text (10.0 KiB)

Ouch - If you wanted to get clever, you could add your own puppet package
provider that extends the default gem one to use that altered path - it's
probably not as hard as it sounds.

On Thu, Jun 21, 2018 at 3:10 AM Philip Davies <email address hidden>
wrote:

> Hey Nick,
>
> Ah ok, so thats a bit painful as means till this is fix we'll need to go
> through our puppet code and re-write a whole heap to run ruby2.0 -r
> yaml -r rubygems/safe_yaml -S gem instead of the puppet way :(
>
> Thanks
>
> Phil
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1777174
>
> Title:
> 2.0.0.484-1ubuntu2.10 triggers uninitialized constant Gem::SafeYAML on
> calling gem2.0 install
>
> Status in ruby2.0 package in Ubuntu:
> Confirmed
>
> Bug description:
> # Summary
> Our Docker builds have just started failing as soon as
> 2.0.0.484-1ubuntu2.10 was released. Whenever we call "gem2.0 install {some
> package}", we get an error saying "uninitialized constant Gem::SafeYAML"
>
> # Required Info
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
> -> About Ubuntu
> Description: Ubuntu 14.04.3 LTS
> Release: 14.04
>
> 2) The version of the package you are using, via 'apt-cache policy
> pkgname' or by checking in Software Center
> ruby2.0:
> Installed: 2.0.0.484-1ubuntu2.10
> Candidate: 2.0.0.484-1ubuntu2.10
> Version table:
> *** 2.0.0.484-1ubuntu2.10 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
> Packages
> 500 http://archive.ubuntu.com/ubuntu/ trusty-security/main
> amd64 Packages
> 100 /var/lib/dpkg/status
> 2.0.0.484-1ubuntu2 0
> 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
>
> 3) What you expected to happen
> "gem install rubygems-update" to work
>
> 4) What happened instead
> We see the error below
> ERROR: While executing gem ... (NameError)
> uninitialized constant Gem::SafeYAML
>
> # Recreate:
> To recreate, take the following Dockerfile and try to build the image:
>
> -----------
> FROM ubuntu:trusty
> ENV DEBIAN_FRONTEND noninteractive
> RUN apt-get update && apt-get -y install ruby2.0 ruby2.0-dev
> RUN gem2.0 install rubygems-update
> -----------
>
> This produces the following output:
>
> -----------
> Sending build context to Docker daemon 2.048kB
> Step 1/4 : FROM ubuntu:trusty
> ---> 38c759202e30
> Step 2/4 : ENV DEBIAN_FRONTEND noninteractive
> ---> Running in fb4736ccbcfe
> Removing intermediate container fb4736ccbcfe
> ---> 8d3ab112c945
> Step 3/4 : RUN apt-get update && apt-get -y install ruby2.0 ruby2.0-dev
> ---> Running in 17e525082f30
> Ign http://archive.ubuntu.com trusty InRelease
> Get:1 http://archive.ubuntu.com trusty-updates InRelease [65.9 kB]
> Get:2 http://archive.ubuntu.com trusty-security InRelease [65.9 kB]
> Get:3 http://archive.ubuntu.com trusty Release.gpg [933 B]
> Get:4 http://archive.ubuntu.com trusty Release [58.5 kB]
> Get:5 http://archive.ubuntu.com trusty-updates/main Sources [514 kB]
> Get:6 http://archive.ubu...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.