Debian Bug report logs - #496363
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: r-base-core-ra; Maintainer for r-base-core-ra is Dirk Eddelbuettel <edd@debian.org>;

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:08 UTC

Severity: grave

Tags: confirmed, security

Fixed in version r-base-core-ra/1.1.1-2

Done: Dirk Eddelbuettel <edd@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Dirk Eddelbuettel <edd@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: r-base-core-ra
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 496363@bugs.debian.org (full text, mbox):

From: Dirk Eddelbuettel <edd@debian.org>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 19:13:29 -0500
I think it is a false positive:

# test functionality of the compiler
javac_works='not present'
if test -n "$JAVAC"; then
    javac_works='not functional'
    rm -rf /tmp/A.java /tmp/A.class           ## <- note the rm -rf
    echo "public class A { }" > /tmp/A.java
    if test -e /tmp/A.java; then
        if "${JAVAC}" /tmp/A.java >/dev/null; then
            if test -e /tmp/A.class; then
                javac_works=yes
            fi
        fi
    fi
    rm -rf /tmp/A.java /tmp/A.class
fi


Right before /tmp/A.* are being used, they are being wiped. No symlink
attack.

Unless I hear objections, I plan to close this one.

Dirk

-- 
Three out of two people have difficulties with fractions.




Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>. Full text and rfc822 format available.

Message #15 received at 496363@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Dirk Eddelbuettel <edd@debian.org>, 496363@bugs.debian.org
Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 04:11:48 +0200
[Message part 1 (text/plain, inline)]
Hi Dirk,
* Dirk Eddelbuettel <edd@debian.org> [2008-08-25 03:07]:
> I think it is a false positive:
> 
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
>     javac_works='not functional'
>     rm -rf /tmp/A.java /tmp/A.class           ## <- note the rm -rf
>     echo "public class A { }" > /tmp/A.java
>     if test -e /tmp/A.java; then
>         if "${JAVAC}" /tmp/A.java >/dev/null; then
>             if test -e /tmp/A.class; then
>                 javac_works=yes
>             fi
>         fi
>     fi
>     rm -rf /tmp/A.java /tmp/A.class
> fi
> 
> Right before /tmp/A.* are being used, they are being wiped. No symlink
> attack.
> 
> Unless I hear objections, I plan to close this one.

Please don't. There is still a race condition here. The 
chance is not that high but it's still possible in theory to 
create the symlink after the unlink. Using mktemp shouldn't 
be a big effort but solve this problem.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 496363@bugs.debian.org (full text, mbox):

From: Dirk Eddelbuettel <edd@debian.org>
To: Nico Golde <nion@debian.org>, 496363@bugs.debian.org
Cc: Stephen Gran <sgran@debian.org>, "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 21:38:23 -0500
On 25 August 2008 at 04:11, Nico Golde wrote:
| Hi Dirk,
| * Dirk Eddelbuettel <edd@debian.org> [2008-08-25 03:07]:
| > I think it is a false positive:
| > 
| > # test functionality of the compiler
| > javac_works='not present'
| > if test -n "$JAVAC"; then
| >     javac_works='not functional'
| >     rm -rf /tmp/A.java /tmp/A.class           ## <- note the rm -rf
| >     echo "public class A { }" > /tmp/A.java
| >     if test -e /tmp/A.java; then
| >         if "${JAVAC}" /tmp/A.java >/dev/null; then
| >             if test -e /tmp/A.class; then
| >                 javac_works=yes
| >             fi
| >         fi
| >     fi
| >     rm -rf /tmp/A.java /tmp/A.class
| > fi
| > 
| > Right before /tmp/A.* are being used, they are being wiped. No symlink
| > attack.
| > 
| > Unless I hear objections, I plan to close this one.
| 
| Please don't. There is still a race condition here. The 
| chance is not that high but it's still possible in theory to 
| create the symlink after the unlink. Using mktemp shouldn't 
| be a big effort but solve this problem.

Right. Stephen said so too. Trouble is that we then accumulate yet another
Debian-only patch... Oh well.

So something like

# test functionality of the compiler
javac_works='not present'
if test -n "$JAVAC"; then
    javac_works='not functional'
    #rm -rf /tmp/A.java /tmp/A.class           
    tempdir=`mktemp -d`
    echo "public class A { }" > ${tempdir}/A.java
    if test -e ${tempdir}/A.java; then
        if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
            if test -e ${tempdir}/A.class; then
                javac_works=yes
            fi
        fi
    fi
    #rm -rf /tmp/A.java /tmp/A.class
    rm -rf ${tempdir}
fi

should do, right?

Dirk

-- 
Three out of two people have difficulties with fractions.




Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>. Full text and rfc822 format available.

Message #25 received at 496363@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Dirk Eddelbuettel <edd@debian.org>
Cc: 496363@bugs.debian.org, Stephen Gran <sgran@debian.org>, "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 13:14:57 +0200
[Message part 1 (text/plain, inline)]
Hi Dirk,
* Dirk Eddelbuettel <edd@debian.org> [2008-08-25 13:06]:
> On 25 August 2008 at 04:11, Nico Golde wrote:
> | * Dirk Eddelbuettel <edd@debian.org> [2008-08-25 03:07]:
[...] 
> | > Right before /tmp/A.* are being used, they are being wiped. No symlink
> | > attack.
> | > 
> | > Unless I hear objections, I plan to close this one.
> | 
> | Please don't. There is still a race condition here. The 
> | chance is not that high but it's still possible in theory to 
> | create the symlink after the unlink. Using mktemp shouldn't 
> | be a big effort but solve this problem.
> 
> Right. Stephen said so too. Trouble is that we then accumulate yet another
> Debian-only patch... Oh well.

That shouldn't be really a problem.

> So something like
> 
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
>     javac_works='not functional'
>     #rm -rf /tmp/A.java /tmp/A.class           
>     tempdir=`mktemp -d`
>     echo "public class A { }" > ${tempdir}/A.java
>     if test -e ${tempdir}/A.java; then
>         if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
>             if test -e ${tempdir}/A.class; then
>                 javac_works=yes
>             fi
>         fi
>     fi
>     #rm -rf /tmp/A.java /tmp/A.class
>     rm -rf ${tempdir}
> fi
> 
> should do, right?

Looks correct to me!
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Tags added: confirmed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 11:18:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>. Full text and rfc822 format available.

Message #32 received at 496363@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 13:19:42 +0200
[Message part 1 (text/plain, inline)]
>Trouble is that we then accumulate yet another Debian-only patch... Oh well.

Why wouldn't it be acceptable to upstream?

> So something like
>
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
>     javac_works='not functional'
>     #rm -rf /tmp/A.java /tmp/A.class
>     tempdir=`mktemp -d`
>     echo "public class A { }" > ${tempdir}/A.java
>     if test -e ${tempdir}/A.java; then
>         if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
>             if test -e ${tempdir}/A.class; then
>                 javac_works=yes
>             fi
>         fi
>     fi
>     #rm -rf /tmp/A.java /tmp/A.class
>     rm -rf ${tempdir}
> fi
>
> should do, right?

Yes, that looks good. Thanks for working on this!


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #37 received at 496363@bugs.debian.org (full text, mbox):

From: Dirk Eddelbuettel <edd@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 06:36:54 -0500
On 25 August 2008 at 13:19, Thijs Kinkhorst wrote:
| >Trouble is that we then accumulate yet another Debian-only patch... Oh well.
| 
| Why wouldn't it be acceptable to upstream?

I'll talk to them but mktemp is not universal, is it?
 
| > So something like
| >
| > # test functionality of the compiler
| > javac_works='not present'
| > if test -n "$JAVAC"; then
| >     javac_works='not functional'
| >     #rm -rf /tmp/A.java /tmp/A.class
| >     tempdir=`mktemp -d`
| >     echo "public class A { }" > ${tempdir}/A.java
| >     if test -e ${tempdir}/A.java; then
| >         if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
| >             if test -e ${tempdir}/A.class; then
| >                 javac_works=yes
| >             fi
| >         fi
| >     fi
| >     #rm -rf /tmp/A.java /tmp/A.class
| >     rm -rf ${tempdir}
| > fi
| >
| > should do, right?
| 
| Yes, that looks good. Thanks for working on this!

Pleasure. 

A new release happens to have come out this morning (as per a timeline
announced a few weeks ago).

Dirk

-- 
Three out of two people have difficulties with fractions.




Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>. Full text and rfc822 format available.

Message #42 received at 496363@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Dirk Eddelbuettel <edd@debian.org>
Cc: 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 13:44:49 +0200
[Message part 1 (text/plain, inline)]
On Monday 25 August 2008 13:36, Dirk Eddelbuettel wrote:
> On 25 August 2008 at 13:19, Thijs Kinkhorst wrote:
> | >Trouble is that we then accumulate yet another Debian-only patch... Oh
> | > well.
> |
> | Why wouldn't it be acceptable to upstream?
>
> I'll talk to them but mktemp is not universal, is it?

It's in coreutils since last year, and before that several distros provided 
versions of it.


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #47 received at 496363@bugs.debian.org (full text, mbox):

From: Dirk Eddelbuettel <edd@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 06:57:13 -0500
On 25 August 2008 at 13:44, Thijs Kinkhorst wrote:
| On Monday 25 August 2008 13:36, Dirk Eddelbuettel wrote:
| > On 25 August 2008 at 13:19, Thijs Kinkhorst wrote:
| > | >Trouble is that we then accumulate yet another Debian-only patch... Oh
| > | > well.
| > |
| > | Why wouldn't it be acceptable to upstream?
| >
| > I'll talk to them but mktemp is not universal, is it?
| 
| It's in coreutils since last year, and before that several distros provided 
| versions of it.

Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX,
... and even Windoze (though the javareconf script may not matter there).

But I just emailed the point person for javareconf. Maybe we can move
creation of the temp.dir into a helper function which use mktemp if present
and default to what it currently does. 

New version with patched javareconf now uploaded.

Dirk

-- 
Three out of two people have difficulties with fractions.




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:07 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>. Full text and rfc822 format available.

Message #56 received at 496363@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Dirk Eddelbuettel <edd@debian.org>
Cc: 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 13:57:12 +0200
[Message part 1 (text/plain, inline)]
Hi Dirk,

On Monday 25 August 2008 13:57, Dirk Eddelbuettel wrote:
> Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX,
> ... and even Windoze (though the javareconf script may not matter there).
>
> But I just emailed the point person for javareconf. Maybe we can move
> creation of the temp.dir into a helper function which use mktemp if present
> and default to what it currently does.
>
> New version with patched javareconf now uploaded.

I see an upload of r-base-core but not (yet) of r-base-core-ra, is that 
intentional?


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496363; Package r-base-core-ra. Full text and rfc822 format available.

Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #61 received at 496363@bugs.debian.org (full text, mbox):

From: Dirk Eddelbuettel <edd@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 07:12:33 -0500
Hi Thijs,

On 27 August 2008 at 13:57, Thijs Kinkhorst wrote:
| Hi Dirk,
| 
| On Monday 25 August 2008 13:57, Dirk Eddelbuettel wrote:
| > Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX,
| > ... and even Windoze (though the javareconf script may not matter there).
| >
| > But I just emailed the point person for javareconf. Maybe we can move
| > creation of the temp.dir into a helper function which use mktemp if present
| > and default to what it currently does.
| >
| > New version with patched javareconf now uploaded.
| 
| I see an upload of r-base-core but not (yet) of r-base-core-ra, is that 
| intentional?

It was. R 2.7.2 came out on Monday, so r-base-core was a natural candidate.

Yesterday I worked on the RC bug requiring GSL docs to go to non-free for
dfsg / gfdl reasons.  So for r-base-core-ra, a build will follow shortly.

There will be a new release too (corresponding to R 2.7.2), but as we don't
know when I'll just preempt it with a new build with a patched javareconf.

Hth, Dirk

-- 
Three out of two people have difficulties with fractions.




Reply sent to Dirk Eddelbuettel <edd@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #66 received at 496363-close@bugs.debian.org (full text, mbox):

From: Dirk Eddelbuettel <edd@debian.org>
To: 496363-close@bugs.debian.org
Subject: Bug#496363: fixed in r-base-core-ra 1.1.1-2
Date: Wed, 27 Aug 2008 13:02:13 +0000
Source: r-base-core-ra
Source-Version: 1.1.1-2

We believe that the bug you reported is fixed in the latest version of
r-base-core-ra, which is due to be installed in the Debian FTP archive:

r-base-core-ra_1.1.1-2.diff.gz
  to pool/main/r/r-base-core-ra/r-base-core-ra_1.1.1-2.diff.gz
r-base-core-ra_1.1.1-2.dsc
  to pool/main/r/r-base-core-ra/r-base-core-ra_1.1.1-2.dsc
r-base-core-ra_1.1.1-2_i386.deb
  to pool/main/r/r-base-core-ra/r-base-core-ra_1.1.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496363@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dirk Eddelbuettel <edd@debian.org> (supplier of updated r-base-core-ra package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Aug 2008 07:13:09 -0500
Source: r-base-core-ra
Binary: r-base-core-ra
Architecture: source i386
Version: 1.1.1-2
Distribution: unstable
Urgency: low
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description: 
 r-base-core-ra - 'ra' variant of GNU R core of statistical computing language and 
Closes: 496363
Changes: 
 r-base-core-ra (1.1.1-2) unstable; urgency=low
 .
   * debian/rules: Patch javareconf as we do for r-base-core
   * src/scripts/javareconf: Replace use of /tmp with result of
     `mktemp -t -d` to avoid symlink attacks		(Closes: #496363)
Checksums-Sha1: 
 c26079906c51844f46ce6c345b442a011c3ab8a0 1486 r-base-core-ra_1.1.1-2.dsc
 25a811c46a6835ae24f6a3b12f4d5825f126a693 42782 r-base-core-ra_1.1.1-2.diff.gz
 c7a5708bd8e1c298ed6403affcf479aeb9811356 8605134 r-base-core-ra_1.1.1-2_i386.deb
Checksums-Sha256: 
 77c936313d7b2d6079599c8e350d53a87aac682366158f1899913ec420d575f4 1486 r-base-core-ra_1.1.1-2.dsc
 cbd752a76530f5ffd00abe8a5e260698be53e5204bc6545f7c24984dd49dd6c5 42782 r-base-core-ra_1.1.1-2.diff.gz
 1b72bcdac730199c027d876d05616bfc7106b5792865f11157e4e49b4cb595cc 8605134 r-base-core-ra_1.1.1-2_i386.deb
Files: 
 39fb8f7cc808abe26dcf9e3eac9c3a3c 1486 math optional r-base-core-ra_1.1.1-2.dsc
 7d682d404b04577f3373736cc5252096 42782 math optional r-base-core-ra_1.1.1-2.diff.gz
 d7d3675e2dff4de2392e5d103a5bd24e 8605134 math optional r-base-core-ra_1.1.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFItU5JCZSR95Gw07cRAix9AJ0QC9ASSHj4CEJrWX6E60Afn/f5SACfbzQN
+9i0ZrIM4FDuzl6EK02Yzzk=
=XX55
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 25 Oct 2008 07:28:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 08:10:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.