Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235822 (CVE-2008-3931) - dev-lang/R < 2.7.1 insecure temp file usage (CVE-2008-3931)
Summary: dev-lang/R < 2.7.1 insecure temp file usage (CVE-2008-3931)
Status: RESOLVED FIXED
Alias: CVE-2008-3931
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor
Assignee: Gentoo Security
URL: http://bugs.debian.org/496418
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-08-26 18:35 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-09-22 20:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
updated patch (R-javareconf.patch,1.11 KB, patch)
2008-08-31 11:25 UTC, Markus Dittrich (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 18:35:15 UTC
See $URL and bug 235770.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 20:07:46 UTC
Confirmed, we're installing /usr/lib64/R/bin/javareconf (independent of USE=java) and it contains vulnerable code which allows for overwriting arbitrary files using symlink attacks.
Checked version 2.7.1.
Debian seems to have a patch, but I don't have the URL handy.
Comment 2 Markus Dittrich (RETIRED) gentoo-dev 2008-08-27 19:49:52 UTC
Thanks a lot for the note. I'll fix this as soon as I
am able to log into packages.debian.org which seems
extremely slow at the moment.

Best,
Markus
Comment 3 Markus Dittrich (RETIRED) gentoo-dev 2008-08-27 23:02:40 UTC
I've removed some old (vulnerable) ebuilds and generated
a patch adapted from one found in Debian's cvs 
(R-javareconf.patch, which replaces insecure tempfile handling 
in the javereconf script with mktemp). I'd appreciate if
somebody could review it and make sure all is well.

The following ebuilds have been fixed by applying 
this patch

R-2.6.1-r1.ebuild
R-2.7.1.ebuild
R-2.7.2.ebuild

The R-2.2.1-r1 version is not vulnerable since
the javareconf script is not distributed with its
tarball.

Since the R-2.7.2.ebuild is a version bump, ~ARCH should 
pull this one in and be fine. However, in order
for ARCH to get this fix I suggest that we stable
R-2.7.1. Does this sound reasonable?

Thanks,
Markus



Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 13:27:16 UTC
Markus, please do not edit stable ebuilds (2.6.1-r1).
Furthermore, the patch should check the return value of mktemp, i.e.:
  if jctmpdir=`mktemp -t -d` ; then
Comment 5 Markus Dittrich (RETIRED) gentoo-dev 2008-08-31 11:21:48 UTC
(In reply to comment #4)
> Markus, please do not edit stable ebuilds (2.6.1-r1).

My apologies, this was an oversight on my part.

> Furthermore, the patch should check the return value of mktemp, i.e.:
>   if jctmpdir=`mktemp -t -d` ; then
> 

I'll post an updated patch below for further review below.


Thanks,
Markus
Comment 6 Markus Dittrich (RETIRED) gentoo-dev 2008-08-31 11:25:53 UTC
Created attachment 164168 [details, diff]
updated patch
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-31 13:32:17 UTC
The "rm -rf" of the directory should be inside the if-block where mktemp succeeds. But besides that the patch looks fine.
Comment 8 Markus Dittrich (RETIRED) gentoo-dev 2008-08-31 14:56:29 UTC
(In reply to comment #7)
> The "rm -rf" of the directory should be inside the if-block where mktemp
> succeeds. But besides that the patch looks fine.
> 

Thank you very much for your feedback, Robert! I've fixed this and
committed the updated patch to portage.

Best,
Markus
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-08-31 15:33:43 UTC
Arches, please test and mark stable:
=dev-lang/R-2.7.1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2008-08-31 18:51:15 UTC
Sparc stable for R-2.7.1
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-09-01 07:05:21 UTC
ppc64 stable (2.7.1)
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-09-01 12:07:07 UTC
alpha/ia64/sparc stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-02 04:49:58 UTC
Stable for HPPA.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-02 16:58:16 UTC
amd64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-06 21:38:48 UTC
ppc stable
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 14:06:14 UTC
CVE-2008-3931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3931):
  javareconf in R 2.7.2 allows local users to overwrite arbitrary files
  via a symlink attack on temporary files.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-09-14 11:28:00 UTC
it's a vote: YES
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-18 21:52:33 UTC
yes too, request filed.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-22 20:18:33 UTC
GLSA 200809-13