The R package, as shipped within the Fedora releases of 8, 9 and 10, is prone to to symlink attack. Affected file: /usr/lib/R/bin/javareconf Relevant part of the code: 124 # test functionality of the compiler 125 javac_works='not present' 126 if test -n "$JAVAC"; then 127 javac_works='not functional' 128 rm -rf /tmp/A.java /tmp/A.class 129 echo "public class A { }" > /tmp/A.java 130 if test -e /tmp/A.java; then 131 if "${JAVAC}" /tmp/A.java >/dev/null; then 132 if test -e /tmp/A.class; then 133 javac_works=yes 134 fi 135 fi 136 fi 137 rm -rf /tmp/A.java /tmp/A.class 138 fi Description: A malicious user could precreate a symlink pointing to the files /tmp/A.java or /tmp/A.class. Subsequent run of the R java reconfiguration tool would allow him to destroy / truncate the size of the symlink target to zero. Affected versions: This issue affects the versions of the R package, as shipped within Fedora releases of 8, 9 and 10.
Original Debian Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496363
Created attachment 315373 [details] Fix for temp bug with R javareconf script
Filed with R upstream: http://bugs.r-project.org/cgi-bin/R/incoming?id=12636
rpy-1.0.3-3.fc8,R-2.7.2-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc8,R-2.7.2-1.fc8
rpy-1.0.3-3.fc9,R-2.7.2-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/rpy-1.0.3-3.fc9,R-2.7.2-1.fc9
CVE-2008-3931: javareconf in R 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files.
rpy-1.0.3-3.fc8, R-2.7.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rpy-1.0.3-3.fc9, R-2.7.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.