| Summary: | dev-lang/R < 2.7.1 insecure temp file usage (CVE-2008-3931) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | CC: | sci | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| URL: | http://bugs.debian.org/496418 | ||||||
| Whiteboard: | B3 [glsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Bug Depends on: | |||||||
| Bug Blocks: | 235770 | ||||||
| Attachments: |
|
||||||
|
Description
Christian Hoffmann (RETIRED)
2008-08-26 18:35:15 UTC
Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of USE=java) and it contains vulnerable code which allows for overwriting arbitrary files using symlink attacks. Checked version 2.7.1. Debian seems to have a patch, but I don't have the URL handy. Thanks a lot for the note. I'll fix this as soon as I am able to log into packages.debian.org which seems extremely slow at the moment. Best, Markus I've removed some old (vulnerable) ebuilds and generated a patch adapted from one found in Debian's cvs (R-javareconf.patch, which replaces insecure tempfile handling in the javereconf script with mktemp). I'd appreciate if somebody could review it and make sure all is well. The following ebuilds have been fixed by applying this patch R-2.6.1-r1.ebuild R-2.7.1.ebuild R-2.7.2.ebuild The R-2.2.1-r1 version is not vulnerable since the javareconf script is not distributed with its tarball. Since the R-2.7.2.ebuild is a version bump, ~ARCH should pull this one in and be fine. However, in order for ARCH to get this fix I suggest that we stable R-2.7.1. Does this sound reasonable? Thanks, Markus Markus, please do not edit stable ebuilds (2.6.1-r1). Furthermore, the patch should check the return value of mktemp, i.e.: if jctmpdir=`mktemp -t -d` ; then (In reply to comment #4) > Markus, please do not edit stable ebuilds (2.6.1-r1). My apologies, this was an oversight on my part. > Furthermore, the patch should check the return value of mktemp, i.e.: > if jctmpdir=`mktemp -t -d` ; then > I'll post an updated patch below for further review below. Thanks, Markus Created attachment 164168 [details, diff]
updated patch
The "rm -rf" of the directory should be inside the if-block where mktemp succeeds. But besides that the patch looks fine. (In reply to comment #7) > The "rm -rf" of the directory should be inside the if-block where mktemp > succeeds. But besides that the patch looks fine. > Thank you very much for your feedback, Robert! I've fixed this and committed the updated patch to portage. Best, Markus Arches, please test and mark stable: =dev-lang/R-2.7.1 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Sparc stable for R-2.7.1 ppc64 stable (2.7.1) alpha/ia64/sparc stable Stable for HPPA. amd64 stable ppc stable CVE-2008-3931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3931): javareconf in R 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files. it's a vote: YES yes too, request filed. GLSA 200809-13 |