Bug 460658 (CVE-2008-3931)

Summary: CVE-2008-3931 R: Insecure auxiliary /tmp file usage (symlink attack possible)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 11:23:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix for temp bug with R javareconf script none

Description Jan Lieskovsky 2008-08-29 14:38:25 UTC 
The R package, as shipped within the Fedora releases of 8, 9 and 10,
is prone to to symlink attack.

Affected file: /usr/lib/R/bin/javareconf

Relevant part of the code:


    124 # test functionality of the compiler
    125 javac_works='not present'
    126 if test -n "$JAVAC"; then
    127     javac_works='not functional'
    128     rm -rf /tmp/A.java /tmp/A.class
    129     echo "public class A { }" > /tmp/A.java
    130     if test -e /tmp/A.java; then
    131         if "${JAVAC}" /tmp/A.java >/dev/null; then
    132             if test -e /tmp/A.class; then
    133                 javac_works=yes
    134             fi
    135         fi
    136     fi
    137     rm -rf /tmp/A.java /tmp/A.class
    138 fi


Description:

A malicious user could precreate a symlink pointing to the files /tmp/A.java
or /tmp/A.class. Subsequent run of the R java reconfiguration tool would
allow him to destroy / truncate the size of the symlink target to zero.

Affected versions:

This issue affects the versions of the R package, as shipped within Fedora
releases of 8, 9 and 10.
Comment 1 Tom "spot" Callaway 2008-08-29 15:38:51 UTC 
Original Debian Bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496363
Comment 2 Tom "spot" Callaway 2008-08-29 15:39:56 UTC 
Created attachment 315373 [details]
Fix for temp bug with R javareconf script
Comment 3 Tom "spot" Callaway 2008-08-29 15:40:16 UTC 
Filed with R upstream:
http://bugs.r-project.org/cgi-bin/R/incoming?id=12636
Comment 4 Fedora Update System 2008-08-29 19:04:31 UTC 
rpy-1.0.3-3.fc8,R-2.7.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc8,R-2.7.2-1.fc8
Comment 5 Fedora Update System 2008-08-29 19:05:36 UTC 
rpy-1.0.3-3.fc9,R-2.7.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc9,R-2.7.2-1.fc9
Comment 6 Tomas Hoger 2008-09-05 15:16:25 UTC 
CVE-2008-3931:

javareconf in R 2.7.2 allows local users to overwrite arbitrary files
via a symlink attack on temporary files.
Comment 7 Fedora Update System 2008-09-10 06:50:10 UTC 
rpy-1.0.3-3.fc8, R-2.7.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-09-10 06:53:03 UTC 
rpy-1.0.3-3.fc9, R-2.7.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.