235822 CVE-2008-3931 2008-08-26 18:35 0000 dev-lang/R < 2.7.1 insecure temp file usage (CVE-2008-3931) 2008-09-22 20:18:33 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://bugs.debian.org/496418 B3 [glsa] P2 minor --- 235770 1 hoffie@gentoo.org security@gentoo.org sci@gentoo.org hoffie@gentoo.org 2008-08-26 18:35:15 0000 See $URL and bug 235770. hoffie@gentoo.org 2008-08-26 20:07:46 0000 Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of USE=java) and it contains vulnerable code which allows for overwriting arbitrary files using symlink attacks. Checked version 2.7.1. Debian seems to have a patch, but I don't have the URL handy. markusle@gentoo.org 2008-08-27 19:49:52 0000 Thanks a lot for the note. I'll fix this as soon as I am able to log into packages.debian.org which seems extremely slow at the moment. Best, Markus markusle@gentoo.org 2008-08-27 23:02:40 0000 I've removed some old (vulnerable) ebuilds and generated a patch adapted from one found in Debian's cvs (R-javareconf.patch, which replaces insecure tempfile handling in the javereconf script with mktemp). I'd appreciate if somebody could review it and make sure all is well. The following ebuilds have been fixed by applying this patch R-2.6.1-r1.ebuild R-2.7.1.ebuild R-2.7.2.ebuild The R-2.2.1-r1 version is not vulnerable since the javareconf script is not distributed with its tarball. Since the R-2.7.2.ebuild is a version bump, ~ARCH should pull this one in and be fine. However, in order for ARCH to get this fix I suggest that we stable R-2.7.1. Does this sound reasonable? Thanks, Markus rbu@gentoo.org 2008-08-30 13:27:16 0000 Markus, please do not edit stable ebuilds (2.6.1-r1). Furthermore, the patch should check the return value of mktemp, i.e.: if jctmpdir=`mktemp -t -d` ; then markusle@gentoo.org 2008-08-31 11:21:48 0000 (In reply to comment #4) > Markus, please do not edit stable ebuilds (2.6.1-r1). My apologies, this was an oversight on my part. > Furthermore, the patch should check the return value of mktemp, i.e.: > if jctmpdir=`mktemp -t -d` ; then > I'll post an updated patch below for further review below. Thanks, Markus markusle@gentoo.org 2008-08-31 11:25:53 0000 Created an attachment (id=164168) updated patch rbu@gentoo.org 2008-08-31 13:32:17 0000 The "rm -rf" of the directory should be inside the if-block where mktemp succeeds. But besides that the patch looks fine. markusle@gentoo.org 2008-08-31 14:56:29 0000 (In reply to comment #7) > The "rm -rf" of the directory should be inside the if-block where mktemp > succeeds. But besides that the patch looks fine. > Thank you very much for your feedback, Robert! I've fixed this and committed the updated patch to portage. Best, Markus rbu@gentoo.org 2008-08-31 15:33:43 0000 Arches, please test and mark stable: =dev-lang/R-2.7.1 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" fmccor@gentoo.org 2008-08-31 18:51:15 0000 Sparc stable for R-2.7.1 corsair@gentoo.org 2008-09-01 07:05:21 0000 ppc64 stable (2.7.1) armin76@gentoo.org 2008-09-01 12:07:07 0000 alpha/ia64/sparc stable jer@gentoo.org 2008-09-02 04:49:58 0000 Stable for HPPA. keytoaster@gentoo.org 2008-09-02 16:58:16 0000 amd64 stable dertobi123@gentoo.org 2008-09-06 21:38:48 0000 ppc stable rbu@gentoo.org 2008-09-12 14:06:14 0000 CVE-2008-3931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3931): javareconf in R 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files. rbu@gentoo.org 2008-09-14 11:28:00 0000 it's a vote: YES py@gentoo.org 2008-09-18 21:52:33 0000 yes too, request filed. py@gentoo.org 2008-09-22 20:18:33 0000 GLSA 200809-13 164168 2008-08-31 11:25 0000 updated patch R-javareconf.patch text/plain ZGlmZiAtTmF1ciBSLTIuNy4yL3NyYy9zY3JpcHRzL2phdmFyZWNvbmYgUi0yLjcuMi5uZXcvc3Jj L3NjcmlwdHMvamF2YXJlY29uZgotLS0gUi0yLjcuMi9zcmMvc2NyaXB0cy9qYXZhcmVjb25mCTIw MDgtMDMtMjUgMDg6MjY6NDQuMDAwMDAwMDAwIC0wNDAwCisrKyBSLTIuNy4yLm5ldy9zcmMvc2Ny aXB0cy9qYXZhcmVjb25mCTIwMDgtMDgtMzEgMDc6MTg6MDEuMDAwMDAwMDAwIC0wNDAwCkBAIC0x MjUsMTYgKzEyNSwyMCBAQAogamF2YWNfd29ya3M9J25vdCBwcmVzZW50JwogaWYgdGVzdCAtbiAi JEpBVkFDIjsgdGhlbgogICAgIGphdmFjX3dvcmtzPSdub3QgZnVuY3Rpb25hbCcKLSAgICBybSAt cmYgL3RtcC9BLmphdmEgL3RtcC9BLmNsYXNzCi0gICAgZWNobyAicHVibGljIGNsYXNzIEEgeyB9 IiA+IC90bXAvQS5qYXZhCi0gICAgaWYgdGVzdCAtZSAvdG1wL0EuamF2YTsgdGhlbgotCWlmICIk e0pBVkFDfSIgL3RtcC9BLmphdmEgPi9kZXYvbnVsbDsgdGhlbgotCSAgICBpZiB0ZXN0IC1lIC90 bXAvQS5jbGFzczsgdGhlbgotCQlqYXZhY193b3Jrcz15ZXMKLQkgICAgZmkKLQlmaQorICAgICMg ZWRkIDI1IEF1ZyAyMDA4ICB1c2UgbWt0ZW1wIC10IC1kCisgICAgI3JtIC1yZiAvdG1wL0EuamF2 YSAvdG1wL0EuY2xhc3MKKyAgICBpZiBqY3RtcGRpcj1gbWt0ZW1wIC10IC1kYDsgdGhlbgorICAg ICAgZWNobyAicHVibGljIGNsYXNzIEEgeyB9IiA+ICR7amN0bXBkaXJ9L0EuamF2YQorICAgICAg aWYgdGVzdCAtZSAke2pjdG1wZGlyfS9BLmphdmE7IHRoZW4KKyAgICAgICAgaWYgIiR7SkFWQUN9 IiAke2pjdG1wZGlyfS9BLmphdmEgPi9kZXYvbnVsbDsgdGhlbgorICAgICAgICAgIGlmIHRlc3Qg LWUgJHtqY3RtcGRpcn0vQS5jbGFzczsgdGhlbgorICAgICAgICAgICAgamF2YWNfd29ya3M9eWVz CisgICAgICAgICAgZmkKKyAgICAgICAgZmkKKyAgICAgIGZpCiAgICAgZmkKLSAgICBybSAtcmYg L3RtcC9BLmphdmEgL3RtcC9BLmNsYXNzCisgICAgIyBybSAtcmYgL3RtcC9BLmphdmEgL3RtcC9B LmNsYXNzCisgICAgcm0gLXJmICR7amN0bXBkaXJ9CiBmaQogaWYgdGVzdCAiJHtqYXZhY193b3Jr c30iID0geWVzOyB0aGVuCiAgICAgZWNobyAiSmF2YSBjb21waWxlciAgICA6ICR7SkFWQUN9Igo=