Chris Rohlf has reported a vulnerability in Ruby-GNOME2, which can potentially be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a format string error within the "Gtk::MessageDialog.new()" method in gtk/src/rbgtkmessagedialog.c and can potentially be exploited to execute arbitrary code when a specially crafted string is passed to the affected function. NOTE: Exploitation and impact of this vulnerability depend on how an application uses the affected function of the vulnerable library. The vulnerability is reported in version 0.16.0. Other versions may also be affected. Solution: Fixed in the SVN repository. http://ruby-gnome2.svn.sourceforge.ne...uby-gnome2?view=rev&revision=2720 Provided and/or discovered by: Chris Rohlf Original Advisory: http://em386.blogspot.com/2007/11/your-favorite-better-than-c-scripting.html Reproducible: Always
lets wait for upstream to provide a fixed release
Created attachment 137213 [details, diff] patch
maintainers - please advice and include that patch if possible
We have split up the Ruby-Gnome2 stuff into several packages. The specific code is part of dev-ruby/ruby-gtk2-0.16-r1 and older releases. I have just added dev-ruby/ruby-gtk2-0.16-r2 to CVS which contains the patch that Lars appended. @Lars: thanks for digging it up and appending it.
Please ping if you think it's ready for stabling.
arches - please test this ebuild and mark it stable as necessary target Package: dev-ruby/ruby-gtk-0.16-r2 target Arches: x86,ppc,sparc,amd64,alpha,ppc64,hppa
x86 stable
I removed the arches that lacked a testing/stable version from the list: target Package: dev-ruby/ruby-gtk-0.16-r2 target Arches: x86(done) ppc,sparc,amd64,alpha
amd64 stable
ppc stable
alpha/ia64/sparc stable and is not keyworded on mips, ready for glsa
filed.
GLSa 200712-09
Does not affect current (2008.0) release. Removing release.