Bug 235822 - dev-lang/R < 2.7.1 insecure temp file usage (CVE-2008-3931)
Bug#: 235822 (CVE-2008-3931) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: hoffie@gentoo.org
Component: Vulnerabilities
URL:  http://bugs.debian.org/496418
Summary: dev-lang/R < 2.7.1 insecure temp file usage (CVE-2008-3931)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2008-08-26 18:35 0000
Description:   Opened: 2008-08-26 18:35 0000 
See $URL and bug 235770.

------- Comment #1 From Christian Hoffmann 2008-08-26 20:07:46 0000 ------- 
Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of
USE=java) and it contains vulnerable code which allows for overwriting
arbitrary files using symlink attacks.
Checked version 2.7.1.
Debian seems to have a patch, but I don't have the URL handy.

------- Comment #2 From Markus Dittrich 2008-08-27 19:49:52 0000 ------- 
Thanks a lot for the note. I'll fix this as soon as I
am able to log into packages.debian.org which seems
extremely slow at the moment.

Best,
Markus

------- Comment #3 From Markus Dittrich 2008-08-27 23:02:40 0000 ------- 
I've removed some old (vulnerable) ebuilds and generated
a patch adapted from one found in Debian's cvs 
(R-javareconf.patch, which replaces insecure tempfile handling 
in the javereconf script with mktemp). I'd appreciate if
somebody could review it and make sure all is well.

The following ebuilds have been fixed by applying 
this patch

R-2.6.1-r1.ebuild
R-2.7.1.ebuild
R-2.7.2.ebuild

The R-2.2.1-r1 version is not vulnerable since
the javareconf script is not distributed with its
tarball.

Since the R-2.7.2.ebuild is a version bump, ~ARCH should 
pull this one in and be fine. However, in order
for ARCH to get this fix I suggest that we stable
R-2.7.1. Does this sound reasonable?

Thanks,
Markus

------- Comment #4 From Robert Buchholz 2008-08-30 13:27:16 0000 ------- 
Markus, please do not edit stable ebuilds (2.6.1-r1).
Furthermore, the patch should check the return value of mktemp, i.e.:
  if jctmpdir=`mktemp -t -d` ; then

------- Comment #5 From Markus Dittrich 2008-08-31 11:21:48 0000 ------- 
(In reply to comment #4)
> Markus, please do not edit stable ebuilds (2.6.1-r1).

My apologies, this was an oversight on my part.

> Furthermore, the patch should check the return value of mktemp, i.e.:
>   if jctmpdir=`mktemp -t -d` ; then
> 

I'll post an updated patch below for further review below.


Thanks,
Markus

------- Comment #6 From Markus Dittrich 2008-08-31 11:25:53 0000 ------- 
Created an attachment (id=164168) [details]
updated patch

------- Comment #7 From Robert Buchholz 2008-08-31 13:32:17 0000 ------- 
The "rm -rf" of the directory should be inside the if-block where mktemp
succeeds. But besides that the patch looks fine.

------- Comment #8 From Markus Dittrich 2008-08-31 14:56:29 0000 ------- 
(In reply to comment #7)
> The "rm -rf" of the directory should be inside the if-block where mktemp
> succeeds. But besides that the patch looks fine.
> 

Thank you very much for your feedback, Robert! I've fixed this and
committed the updated patch to portage.

Best,
Markus

------- Comment #9 From Robert Buchholz 2008-08-31 15:33:43 0000 ------- 
Arches, please test and mark stable:
=dev-lang/R-2.7.1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

------- Comment #10 From Ferris McCormick 2008-08-31 18:51:15 0000 ------- 
Sparc stable for R-2.7.1

------- Comment #11 From Markus Rothe 2008-09-01 07:05:21 0000 ------- 
ppc64 stable (2.7.1)

------- Comment #12 From Raúl Porcel 2008-09-01 12:07:07 0000 ------- 
alpha/ia64/sparc stable

------- Comment #13 From Jeroen Roovers 2008-09-02 04:49:58 0000 ------- 
Stable for HPPA.

------- Comment #14 From Tobias Heinlein 2008-09-02 16:58:16 0000 ------- 
amd64 stable

------- Comment #15 From Tobias Scherbaum 2008-09-06 21:38:48 0000 ------- 
ppc stable

------- Comment #16 From Robert Buchholz 2008-09-12 14:06:14 0000 ------- 
CVE-2008-3931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3931):
  javareconf in R 2.7.2 allows local users to overwrite arbitrary files
  via a symlink attack on temporary files.

------- Comment #17 From Robert Buchholz 2008-09-14 11:28:00 0000 ------- 
it's a vote: YES

------- Comment #18 From Pierre-Yves Rofes 2008-09-18 21:52:33 0000 ------- 
yes too, request filed.

------- Comment #19 From Pierre-Yves Rofes 2008-09-22 20:18:33 0000 ------- 
GLSA 200809-13