Hi, just in case you have no time to do an upload I prepared an NMU. Maybe it also helps you preparing an update. The attached patch fixes this issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/ruby-gnome2-0.16.0-8_0.16.0-8.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ruby-gnome2-0.16.0/debian/changelog ruby-gnome2-0.16.0/debian/changelog --- ruby-gnome2-0.16.0/debian/changelog +++ ruby-gnome2-0.16.0/debian/changelog @@ -1,3 +1,12 @@ +ruby-gnome2 (0.16.0-8.1) unstable; urgency=high + + * Non-maintainer upload by testing-security team. + * Included CVE-2007-6183.patch to fix format string vulnerability + in rbgtkmessagedialog.c which might lead to arbitrary code + execution (Closes: #453689) + + -- Nico Golde <[EMAIL PROTECTED]> Fri, 30 Nov 2007 17:07:39 +0100 + ruby-gnome2 (0.16.0-8) unstable; urgency=low * Add window-warning.patch (Closes: #446602). diff -u ruby-gnome2-0.16.0/debian/patches/series ruby-gnome2-0.16.0/debian/patches/series --- ruby-gnome2-0.16.0/debian/patches/series +++ ruby-gnome2-0.16.0/debian/patches/series @@ -9,0 +10 @@ +CVE-2007-6183.patch only in patch2: unchanged: --- ruby-gnome2-0.16.0.orig/debian/patches/CVE-2007-6183.patch +++ ruby-gnome2-0.16.0/debian/patches/CVE-2007-6183.patch @@ -0,0 +1,12 @@ +--- ruby-gnome2/gtk/src/rbgtkmessagedialog.c 2006/10/21 16:58:00 2275 ++++ ruby-gnome2/gtk/src/rbgtkmessagedialog.c 2007/11/27 11:40:12 2720 +@@ -28,7 +28,8 @@ + RVAL2GFLAGS(flags, GTK_TYPE_DIALOG_FLAGS), + RVAL2GENUM(type, GTK_TYPE_MESSAGE_TYPE), + RVAL2GENUM(buttons, GTK_TYPE_BUTTONS_TYPE), +- (const gchar*)(NIL_P(message) ? "": RVAL2CSTR(message))); ++ "%s", ++ NIL_P(message) ? "": RVAL2CSTR(message)); + RBGTK_INITIALIZE(self, w); + return Qnil; + }
pgpxlXgLA1PDb.pgp
Description: PGP signature
