Bug 460658 - (CVE-2008-3931) CVE-2008-3931 R: Insecure auxiliary /tmp file usage (symlink attack possible)
CVE-2008-3931 R: Insecure auxiliary /tmp file usage (symlink attack possible)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080828,public=20080824,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-29 10:38 EDT by Jan Lieskovsky
Modified: 2010-03-29 07:23 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 07:23:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for temp bug with R javareconf script (925 bytes, patch)
2008-08-29 11:39 EDT, Tom "spot" Callaway
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 496363 None None None Never

  None (edit)
Description Jan Lieskovsky 2008-08-29 10:38:25 EDT
The R package, as shipped within the Fedora releases of 8, 9 and 10,
is prone to to symlink attack.

Affected file: /usr/lib/R/bin/javareconf

Relevant part of the code:


    124 # test functionality of the compiler
    125 javac_works='not present'
    126 if test -n "$JAVAC"; then
    127     javac_works='not functional'
    128     rm -rf /tmp/A.java /tmp/A.class
    129     echo "public class A { }" > /tmp/A.java
    130     if test -e /tmp/A.java; then
    131         if "${JAVAC}" /tmp/A.java >/dev/null; then
    132             if test -e /tmp/A.class; then
    133                 javac_works=yes
    134             fi
    135         fi
    136     fi
    137     rm -rf /tmp/A.java /tmp/A.class
    138 fi


Description:

A malicious user could precreate a symlink pointing to the files /tmp/A.java
or /tmp/A.class. Subsequent run of the R java reconfiguration tool would
allow him to destroy / truncate the size of the symlink target to zero.

Affected versions:

This issue affects the versions of the R package, as shipped within Fedora
releases of 8, 9 and 10.
Comment 1 Tom "spot" Callaway 2008-08-29 11:38:51 EDT
Original Debian Bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496363
Comment 2 Tom "spot" Callaway 2008-08-29 11:39:56 EDT
Created attachment 315373 [details]
Fix for temp bug with R javareconf script
Comment 3 Tom "spot" Callaway 2008-08-29 11:40:16 EDT
Filed with R upstream:
http://bugs.r-project.org/cgi-bin/R/incoming?id=12636
Comment 4 Fedora Update System 2008-08-29 15:04:31 EDT
rpy-1.0.3-3.fc8,R-2.7.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc8,R-2.7.2-1.fc8
Comment 5 Fedora Update System 2008-08-29 15:05:36 EDT
rpy-1.0.3-3.fc9,R-2.7.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc9,R-2.7.2-1.fc9
Comment 6 Tomas Hoger 2008-09-05 11:16:25 EDT
CVE-2008-3931:

javareconf in R 2.7.2 allows local users to overwrite arbitrary files
via a symlink attack on temporary files.
Comment 7 Fedora Update System 2008-09-10 02:50:10 EDT
rpy-1.0.3-3.fc8, R-2.7.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-09-10 02:53:03 EDT
rpy-1.0.3-3.fc9, R-2.7.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.