Bug 460658 (CVE-2008-3931) - CVE-2008-3931 R: Insecure auxiliary /tmp file usage (symlink attack possible)
Summary: CVE-2008-3931 R: Insecure auxiliary /tmp file usage (symlink attack possible)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3931
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-29 14:38 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-29 11:23:10 UTC


Attachments (Terms of Use)
Fix for temp bug with R javareconf script (925 bytes, patch)
2008-08-29 15:39 UTC, Tom "spot" Callaway
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Debian BTS 496363 None None None Never

Description Jan Lieskovsky 2008-08-29 14:38:25 UTC
The R package, as shipped within the Fedora releases of 8, 9 and 10,
is prone to to symlink attack.

Affected file: /usr/lib/R/bin/javareconf

Relevant part of the code:


    124 # test functionality of the compiler
    125 javac_works='not present'
    126 if test -n "$JAVAC"; then
    127     javac_works='not functional'
    128     rm -rf /tmp/A.java /tmp/A.class
    129     echo "public class A { }" > /tmp/A.java
    130     if test -e /tmp/A.java; then
    131         if "${JAVAC}" /tmp/A.java >/dev/null; then
    132             if test -e /tmp/A.class; then
    133                 javac_works=yes
    134             fi
    135         fi
    136     fi
    137     rm -rf /tmp/A.java /tmp/A.class
    138 fi


Description:

A malicious user could precreate a symlink pointing to the files /tmp/A.java
or /tmp/A.class. Subsequent run of the R java reconfiguration tool would
allow him to destroy / truncate the size of the symlink target to zero.

Affected versions:

This issue affects the versions of the R package, as shipped within Fedora
releases of 8, 9 and 10.

Comment 1 Tom "spot" Callaway 2008-08-29 15:38:51 UTC
Original Debian Bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496363

Comment 2 Tom "spot" Callaway 2008-08-29 15:39:56 UTC
Created attachment 315373 [details]
Fix for temp bug with R javareconf script

Comment 3 Tom "spot" Callaway 2008-08-29 15:40:16 UTC
Filed with R upstream:
http://bugs.r-project.org/cgi-bin/R/incoming?id=12636

Comment 4 Fedora Update System 2008-08-29 19:04:31 UTC
rpy-1.0.3-3.fc8,R-2.7.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc8,R-2.7.2-1.fc8

Comment 5 Fedora Update System 2008-08-29 19:05:36 UTC
rpy-1.0.3-3.fc9,R-2.7.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc9,R-2.7.2-1.fc9

Comment 6 Tomas Hoger 2008-09-05 15:16:25 UTC
CVE-2008-3931:

javareconf in R 2.7.2 allows local users to overwrite arbitrary files
via a symlink attack on temporary files.

Comment 7 Fedora Update System 2008-09-10 06:50:10 UTC
rpy-1.0.3-3.fc8, R-2.7.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-09-10 06:53:03 UTC
rpy-1.0.3-3.fc9, R-2.7.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.