See $URL and bug 235770.
Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of USE=java) and it contains vulnerable code which allows for overwriting arbitrary files using symlink attacks.
Checked version 2.7.1.
Debian seems to have a patch, but I don't have the URL handy.
Thanks a lot for the note. I'll fix this as soon as I
am able to log into packages.debian.org which seems
extremely slow at the moment.
I've removed some old (vulnerable) ebuilds and generated
a patch adapted from one found in Debian's cvs
(R-javareconf.patch, which replaces insecure tempfile handling
in the javereconf script with mktemp). I'd appreciate if
somebody could review it and make sure all is well.
The following ebuilds have been fixed by applying
The R-2.2.1-r1 version is not vulnerable since
the javareconf script is not distributed with its
Since the R-2.7.2.ebuild is a version bump, ~ARCH should
pull this one in and be fine. However, in order
for ARCH to get this fix I suggest that we stable
R-2.7.1. Does this sound reasonable?
Markus, please do not edit stable ebuilds (2.6.1-r1).
Furthermore, the patch should check the return value of mktemp, i.e.:
if jctmpdir=`mktemp -t -d` ; then
(In reply to comment #4)
> Markus, please do not edit stable ebuilds (2.6.1-r1).
My apologies, this was an oversight on my part.
> Furthermore, the patch should check the return value of mktemp, i.e.:
> if jctmpdir=`mktemp -t -d` ; then
I'll post an updated patch below for further review below.
Created attachment 164168 [details, diff]
The "rm -rf" of the directory should be inside the if-block where mktemp succeeds. But besides that the patch looks fine.
(In reply to comment #7)
> The "rm -rf" of the directory should be inside the if-block where mktemp
> succeeds. But besides that the patch looks fine.
Thank you very much for your feedback, Robert! I've fixed this and
committed the updated patch to portage.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Sparc stable for R-2.7.1
ppc64 stable (2.7.1)
Stable for HPPA.
javareconf in R 2.7.2 allows local users to overwrite arbitrary files
via a symlink attack on temporary files.
it's a vote: YES
yes too, request filed.