Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200623 (CVE-2007-6183) - dev-ruby/ruby-gtk2 <0.16.0-r2 "" Format String Vulnerability (CVE-2007-6183)
Summary: dev-ruby/ruby-gtk2 <0.16.0-r2 "" Format String Vulner...
Alias: CVE-2007-6183
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2007-11-28 11:12 UTC by Lars Hartmann
Modified: 2008-03-06 09:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

patch (fix_format_string_vulnerability.patch,565 bytes, patch)
2007-11-28 12:05 UTC, Lars Hartmann
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-11-28 11:12:52 UTC
Chris Rohlf has reported a vulnerability in Ruby-GNOME2, which can potentially be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a format string error within the "" method in gtk/src/rbgtkmessagedialog.c and can potentially be exploited to execute arbitrary code when a specially crafted string is passed to the affected function.

NOTE: Exploitation and impact of this vulnerability depend on how an application uses the affected function of the vulnerable library.

The vulnerability is reported in version 0.16.0. Other versions may also be affected.

Fixed in the SVN repository.

Provided and/or discovered by:
Chris Rohlf

Original Advisory:

Reproducible: Always
Comment 1 Lars Hartmann 2007-11-28 11:15:23 UTC
lets wait for upstream to provide a fixed release
Comment 2 Lars Hartmann 2007-11-28 12:05:01 UTC
Created attachment 137213 [details, diff]
Comment 3 Lars Hartmann 2007-11-28 12:05:44 UTC
maintainers - please advice and include that patch if possible
Comment 4 Hans de Graaff gentoo-dev Security 2007-11-28 20:05:28 UTC
We have split up the Ruby-Gnome2 stuff into several packages. The specific code is part of dev-ruby/ruby-gtk2-0.16-r1 and older releases.

I have just added dev-ruby/ruby-gtk2-0.16-r2 to CVS which contains the patch that Lars appended. @Lars: thanks for digging it up and appending it.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 00:03:42 UTC
Please ping if you think it's ready for stabling.
Comment 6 Lars Hartmann 2007-11-29 07:28:56 UTC
arches - please test this ebuild and mark it stable as necessary

target Package: dev-ruby/ruby-gtk-0.16-r2
target Arches: x86,ppc,sparc,amd64,alpha,ppc64,hppa
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-29 08:35:19 UTC
x86 stable
Comment 8 Lars Hartmann 2007-11-29 09:34:50 UTC
I removed the arches that lacked a testing/stable version from the list:

target Package: dev-ruby/ruby-gtk-0.16-r2
target Arches: x86(done) ppc,sparc,amd64,alpha
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-11-30 20:10:15 UTC
amd64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-02 15:38:59 UTC
ppc stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-12-04 17:34:03 UTC
alpha/ia64/sparc stable and is not keyworded on mips, ready for glsa
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 18:01:05 UTC
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-09 22:16:20 UTC
GLSa 200712-09
Comment 14 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:52:19 UTC
Does not affect current (2008.0) release. Removing release.