Comment 1 Christian Hoffmann (RETIRED) 2008-08-26 20:07:46 UTC

Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of USE=java) and it contains vulnerable code which allows for overwriting arbitrary files using symlink attacks.
Checked version 2.7.1.
Debian seems to have a patch, but I don't have the URL handy.

Comment 2 Markus Dittrich (RETIRED) 2008-08-27 19:49:52 UTC

Thanks a lot for the note. I'll fix this as soon as I
am able to log into packages.debian.org which seems
extremely slow at the moment.

Best,
Markus

Comment 3 Markus Dittrich (RETIRED) 2008-08-27 23:02:40 UTC

I've removed some old (vulnerable) ebuilds and generated
a patch adapted from one found in Debian's cvs 
(R-javareconf.patch, which replaces insecure tempfile handling 
in the javereconf script with mktemp). I'd appreciate if
somebody could review it and make sure all is well.

The following ebuilds have been fixed by applying 
this patch

R-2.6.1-r1.ebuild
R-2.7.1.ebuild
R-2.7.2.ebuild

The R-2.2.1-r1 version is not vulnerable since
the javareconf script is not distributed with its
tarball.

Since the R-2.7.2.ebuild is a version bump, ~ARCH should 
pull this one in and be fine. However, in order
for ARCH to get this fix I suggest that we stable
R-2.7.1. Does this sound reasonable?

Thanks,
Markus

Comment 4 Robert Buchholz (RETIRED) 2008-08-30 13:27:16 UTC

Markus, please do not edit stable ebuilds (2.6.1-r1).
Furthermore, the patch should check the return value of mktemp, i.e.:
  if jctmpdir=`mktemp -t -d` ; then

Comment 5 Markus Dittrich (RETIRED) 2008-08-31 11:21:48 UTC

(In reply to comment #4)
> Markus, please do not edit stable ebuilds (2.6.1-r1).

My apologies, this was an oversight on my part.

> Furthermore, the patch should check the return value of mktemp, i.e.:
>   if jctmpdir=`mktemp -t -d` ; then
> 

I'll post an updated patch below for further review below.


Thanks,
Markus

Comment 6 Markus Dittrich (RETIRED) 2008-08-31 11:25:53 UTC

Created attachment 164168 [details, diff]
updated patch

Comment 7 Robert Buchholz (RETIRED) 2008-08-31 13:32:17 UTC

The "rm -rf" of the directory should be inside the if-block where mktemp succeeds. But besides that the patch looks fine.

Comment 8 Markus Dittrich (RETIRED) 2008-08-31 14:56:29 UTC

(In reply to comment #7)
> The "rm -rf" of the directory should be inside the if-block where mktemp
> succeeds. But besides that the patch looks fine.
> 

Thank you very much for your feedback, Robert! I've fixed this and
committed the updated patch to portage.

Best,
Markus

Comment 9 Robert Buchholz (RETIRED) 2008-08-31 15:33:43 UTC

Arches, please test and mark stable:
=dev-lang/R-2.7.1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 10 Ferris McCormick (RETIRED) 2008-08-31 18:51:15 UTC

Sparc stable for R-2.7.1

Comment 11 Markus Rothe (RETIRED) 2008-09-01 07:05:21 UTC

ppc64 stable (2.7.1)

Comment 12 Raúl Porcel (RETIRED) 2008-09-01 12:07:07 UTC

alpha/ia64/sparc stable

Comment 13 Jeroen Roovers (RETIRED) 2008-09-02 04:49:58 UTC

Stable for HPPA.

Comment 14 Tobias Heinlein (RETIRED) 2008-09-02 16:58:16 UTC

amd64 stable

Comment 15 Tobias Scherbaum (RETIRED) 2008-09-06 21:38:48 UTC

ppc stable

Comment 16 Robert Buchholz (RETIRED) 2008-09-12 14:06:14 UTC

CVE-2008-3931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3931):
  javareconf in R 2.7.2 allows local users to overwrite arbitrary files
  via a symlink attack on temporary files.

Comment 17 Robert Buchholz (RETIRED) 2008-09-14 11:28:00 UTC

it's a vote: YES

Comment 18 Pierre-Yves Rofes (RETIRED) 2008-09-18 21:52:33 UTC

yes too, request filed.

Comment 19 Pierre-Yves Rofes (RETIRED) 2008-09-22 20:18:33 UTC

GLSA 200809-13