Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
See $URL and bug 235770.
Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of USE=java) and it contains vulnerable code which allows for overwriting arbitrary files using symlink attacks. Checked version 2.7.1. Debian seems to have a patch, but I don't have the URL handy.
Thanks a lot for the note. I'll fix this as soon as I am able to log into packages.debian.org which seems extremely slow at the moment. Best, Markus
I've removed some old (vulnerable) ebuilds and generated a patch adapted from one found in Debian's cvs (R-javareconf.patch, which replaces insecure tempfile handling in the javereconf script with mktemp). I'd appreciate if somebody could review it and make sure all is well. The following ebuilds have been fixed by applying this patch R-2.6.1-r1.ebuild R-2.7.1.ebuild R-2.7.2.ebuild The R-2.2.1-r1 version is not vulnerable since the javareconf script is not distributed with its tarball. Since the R-2.7.2.ebuild is a version bump, ~ARCH should pull this one in and be fine. However, in order for ARCH to get this fix I suggest that we stable R-2.7.1. Does this sound reasonable? Thanks, Markus
Markus, please do not edit stable ebuilds (2.6.1-r1). Furthermore, the patch should check the return value of mktemp, i.e.: if jctmpdir=`mktemp -t -d` ; then
(In reply to comment #4) > Markus, please do not edit stable ebuilds (2.6.1-r1). My apologies, this was an oversight on my part. > Furthermore, the patch should check the return value of mktemp, i.e.: > if jctmpdir=`mktemp -t -d` ; then > I'll post an updated patch below for further review below. Thanks, Markus
Created an attachment (id=164168) [details] updated patch
The "rm -rf" of the directory should be inside the if-block where mktemp succeeds. But besides that the patch looks fine.
(In reply to comment #7) > The "rm -rf" of the directory should be inside the if-block where mktemp > succeeds. But besides that the patch looks fine. > Thank you very much for your feedback, Robert! I've fixed this and committed the updated patch to portage. Best, Markus
Arches, please test and mark stable: =dev-lang/R-2.7.1 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Sparc stable for R-2.7.1
ppc64 stable (2.7.1)
alpha/ia64/sparc stable
Stable for HPPA.
amd64 stable
ppc stable
CVE-2008-3931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3931): javareconf in R 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files.
it's a vote: YES
yes too, request filed.
GLSA 200809-13
