Re: [Rd] Security issue with javareconf script (PR#12636)

From: Peter Dalgaard <p.dalgaard_at_biostat.ku.dk>
Date: Fri, 29 Aug 2008 20:04:38 +0200

tcallawa_at_redhat.com wrote:
> Full_Name: Tom Callaway
> Version: 2.7.2
> OS: Fedora 10 (Linux/x86_64)
> Submission from: (NULL) (96.233.67.230)
>
>
> Recently, Debian identified a security issue with the javareconf script in R. I
> confirmed that this is still unfixed in R 2.7.2.
>
> The following patch resolves the issue:
>
> diff -up R-2.7.2/src/scripts/javareconf.BAD R-2.7.1/src/scripts/javareconf
> --- R-2.7.2/src/scripts/javareconf.BAD 2008-08-29 11:04:21.000000000 -0400
> +++ R-2.7.2/src/scripts/javareconf 2008-08-29 11:05:34.000000000 -0400
> @@ -125,16 +125,17 @@ fi
> javac_works='not present'
> if test -n "$JAVAC"; then
> javac_works='not functional'
> - rm -rf /tmp/A.java /tmp/A.class
> - echo "public class A { }" > /tmp/A.java
> - if test -e /tmp/A.java; then
> - if "${JAVAC}" /tmp/A.java >/dev/null; then
> - if test -e /tmp/A.class; then
> + tempdir=`mktemp -d`
> + echo "public class A { }" > ${tempdir}/A.java
> + if test -e ${tempdir}/A.java; then
> + if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
> + if test -e ${tempdir}/A.class; then
> javac_works=yes
> fi
> fi
> fi
> - rm -rf /tmp/A.java /tmp/A.class
> + rm -rf ${tempdir}
> +
> fi
> if test "${javac_works}" = yes; then
> echo "Java compiler : ${JAVAC}"
>
OK, committed. Not the easiest hole to exploit, I'd say (notice that we only compile something, not execute it).

.....

Oh, sh*! This is not portable! Needs code like INSTALL. Will refix.

-- 
   O__  ---- Peter Dalgaard             ุster Farimagsgade 5, Entr.B
  c/ /'_ --- Dept. of Biostatistics     PO Box 2099, 1014 Cph. K
 (*) \(*) -- University of Copenhagen   Denmark      Ph:  (+45) 35327918
~~~~~~~~~~ - (p.dalgaard_at_biostat.ku.dk)              FAX: (+45) 35327907

______________________________________________
R-devel_at_r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Received on Fri 29 Aug 2008 - 18:06:54 GMT

Archive maintained by Robert King, hosted by the discipline of statistics at the University of Newcastle, Australia.
Archive generated by hypermail 2.2.0, at Fri 29 Aug 2008 - 20:39:36 GMT.

Mailing list information is available at https://stat.ethz.ch/mailman/listinfo/r-devel. Please read the posting guide before posting to the list.

list of date sections of archive