Full_Name: Tom Callaway
Version: 2.7.2
OS: Fedora 10 (Linux/x86_64)
Submission from: (NULL) (96.233.67.230)
Recently, Debian identified a security issue with the javareconf script in R. I
confirmed that this is still unfixed in R 2.7.2.
The following patch resolves the issue:
diff -up R-2.7.2/src/scripts/javareconf.BAD R-2.7.1/src/scripts/javareconf
--- R-2.7.2/src/scripts/javareconf.BAD 2008-08-29 11:04:21.000000000 -0400
+++ R-2.7.2/src/scripts/javareconf 2008-08-29 11:05:34.000000000 -0400
@@ -125,16 +125,17 @@ fi
javac_works='not present'
if test -n "$JAVAC"; then
javac_works='not functional'
- rm -rf /tmp/A.java /tmp/A.class
- echo "public class A { }" > /tmp/A.java
- if test -e /tmp/A.java; then
- if "${JAVAC}" /tmp/A.java >/dev/null; then
- if test -e /tmp/A.class; then
+ tempdir=`mktemp -d`
+ echo "public class A { }" > ${tempdir}/A.java
+ if test -e ${tempdir}/A.java; then
+ if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
+ if test -e ${tempdir}/A.class; then
javac_works=yes
fi
fi
fi
- rm -rf /tmp/A.java /tmp/A.class
+ rm -rf ${tempdir}
+
fi
if test "${javac_works}" = yes; then
echo "Java compiler : ${JAVAC}"
Security issue with javareconf script (PR#12636)
4 messages · Tom Callaway, Dirk Eddelbuettel, Peter Dalgaard
On 29 August 2008 at 17:35, tcallawa at redhat.com wrote:
| Full_Name: Tom Callaway
| Version: 2.7.2
| OS: Fedora 10 (Linux/x86_64)
| Submission from: (NULL) (96.233.67.230)
|
|
| Recently, Debian identified a security issue with the javareconf script in R.
Yes, somewhat launched a massive list of bug reports against all script using
plain /tmp. The fact that javareconf already rm's the file just before
creation leaves just a tiny tiny tiny window -- but I didn't argue this with
our folks either as the patch (almost like yours) is easy enough.
| I confirmed that this is still unfixed in R 2.7.2.
|
| The following patch resolves the issue:
|
| diff -up R-2.7.2/src/scripts/javareconf.BAD R-2.7.1/src/scripts/javareconf
| --- R-2.7.2/src/scripts/javareconf.BAD 2008-08-29 11:04:21.000000000 -0400
| +++ R-2.7.2/src/scripts/javareconf 2008-08-29 11:05:34.000000000 -0400
| @@ -125,16 +125,17 @@ fi
| javac_works='not present'
| if test -n "$JAVAC"; then
| javac_works='not functional'
| - rm -rf /tmp/A.java /tmp/A.class
| - echo "public class A { }" > /tmp/A.java
| - if test -e /tmp/A.java; then
| - if "${JAVAC}" /tmp/A.java >/dev/null; then
| - if test -e /tmp/A.class; then
| + tempdir=`mktemp -d`
"mktemp -d -t" is preferable, and that is what out patch does.
I reported this to Simon off-list. The trouble is that such a patch, at the R
source level, would require mktemp to be present on all system which is not a
given. So I suggested to Simon to add a function that will use mktemp where
available and 'does something else' otherwise. I have not heard back yet.
Dirk
| + echo "public class A { }" > ${tempdir}/A.java
| + if test -e ${tempdir}/A.java; then
| + if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
| + if test -e ${tempdir}/A.class; then
| javac_works=yes
| fi
| fi
| fi
| - rm -rf /tmp/A.java /tmp/A.class
| + rm -rf ${tempdir}
| +
| fi
| if test "${javac_works}" = yes; then
| echo "Java compiler : ${JAVAC}"
|
| ______________________________________________
| R-devel at r-project.org mailing list
| https://stat.ethz.ch/mailman/listinfo/r-devel
Three out of two people have difficulties with fractions.
tcallawa at redhat.com wrote:
Full_Name: Tom Callaway
Version: 2.7.2
OS: Fedora 10 (Linux/x86_64)
Submission from: (NULL) (96.233.67.230)
Recently, Debian identified a security issue with the javareconf script in R. I
confirmed that this is still unfixed in R 2.7.2.
The following patch resolves the issue:
diff -up R-2.7.2/src/scripts/javareconf.BAD R-2.7.1/src/scripts/javareconf
--- R-2.7.2/src/scripts/javareconf.BAD 2008-08-29 11:04:21.000000000 -0400
+++ R-2.7.2/src/scripts/javareconf 2008-08-29 11:05:34.000000000 -0400
@@ -125,16 +125,17 @@ fi
javac_works='not present'
if test -n "$JAVAC"; then
javac_works='not functional'
- rm -rf /tmp/A.java /tmp/A.class
- echo "public class A { }" > /tmp/A.java
- if test -e /tmp/A.java; then
- if "${JAVAC}" /tmp/A.java >/dev/null; then
- if test -e /tmp/A.class; then
+ tempdir=`mktemp -d`
+ echo "public class A { }" > ${tempdir}/A.java
+ if test -e ${tempdir}/A.java; then
+ if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
+ if test -e ${tempdir}/A.class; then
javac_works=yes
fi
fi
fi
- rm -rf /tmp/A.java /tmp/A.class
+ rm -rf ${tempdir}
+
fi
if test "${javac_works}" = yes; then
echo "Java compiler : ${JAVAC}"
OK, committed. Not the easiest hole to exploit, I'd say (notice that we only compile something, not execute it). ..... Oh, sh*! This is not portable! Needs code like INSTALL. Will refix.
O__ ---- Peter Dalgaard ?ster Farimagsgade 5, Entr.B c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907
On Fri, 2008-08-29 at 20:04 +0200, Peter Dalgaard wrote:
OK, committed. Not the easiest hole to exploit, I'd say (notice that we only compile something, not execute it). ..... Oh, sh*! This is not portable! Needs code like INSTALL. Will refix.
Sorry about that. I forgot that people cared about *nix that has a supported Java but no mktemp implementation... :) ~spot