On Fri, Aug 13, 2004 at 04:17:06PM +0900, Jim Weirich wrote:
> At least with RubyGems, the former attach scenarios is not available for 
> only gem code is run during the installation.  The attacker gets no 
> opportunity to run as root.

IIRC both the extconf.rb and the Makefiles supplied with the gem will
be run if the gem specifies it carries extensions, so there's some
potential for abuse as root. 

-- 
Running Debian GNU/Linux Sid (unstable)
batsman dot geo at yahoo dot com