Package: r-base-core; Maintainer for r-base-core is Dirk Eddelbuettel <edd@debian.org>; Source for r-base-core is src:r-base (PTS, buildd, popcon).
Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Date: Sun, 24 Aug 2008 18:11:38 UTC
Severity: grave
Tags: confirmed
Fixed in versions r-base/2.7.2-1, r-base/2.7.1-1+lenny1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496418; Package r-base-core.
(full text, mbox, link).
Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: r-base-core
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496418; Package r-base-core.
(full text, mbox, link).
Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 496418@bugs.debian.org (full text, mbox, reply):
This is the same as the one I just answered for r-base-core-ra as
r-base-core-ra is an extension/specialisation of r-base-core.
So again:
# test functionality of the compiler
javac_works='not present'
if test -n "$JAVAC"; then
javac_works='not functional'
rm -rf /tmp/A.java /tmp/A.class
echo "public class A { }" > /tmp/A.java
if test -e /tmp/A.java; then
if "${JAVAC}" /tmp/A.java >/dev/null; then
if test -e /tmp/A.class; then
javac_works=yes
fi
fi
fi
rm -rf /tmp/A.java /tmp/A.class
fi
rm just before file creation should prevent any symlink attack vectors, no?
Dirk
--
Three out of two people have difficulties with fractions.
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496418; Package r-base-core.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Message #15 received at 496418@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This one time, at band camp, Dirk Eddelbuettel said:
>
> This is the same as the one I just answered for r-base-core-ra as
> r-base-core-ra is an extension/specialisation of r-base-core.
>
> So again:
>
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
> javac_works='not functional'
> rm -rf /tmp/A.java /tmp/A.class
> echo "public class A { }" > /tmp/A.java
> if test -e /tmp/A.java; then
> if "${JAVAC}" /tmp/A.java >/dev/null; then
> if test -e /tmp/A.class; then
> javac_works=yes
> fi
> fi
> fi
> rm -rf /tmp/A.java /tmp/A.class
> fi
>
>
> rm just before file creation should prevent any symlink attack vectors, no?
No.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496418; Package r-base-core.
(full text, mbox, link).
Acknowledgement sent to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #20 received at 496418@bugs.debian.org (full text, mbox, reply):
On 25 August 2008 at 01:43, Stephen Gran wrote:
| This one time, at band camp, Dirk Eddelbuettel said:
| >
| > This is the same as the one I just answered for r-base-core-ra as
| > r-base-core-ra is an extension/specialisation of r-base-core.
| >
| > So again:
| >
| > # test functionality of the compiler
| > javac_works='not present'
| > if test -n "$JAVAC"; then
| > javac_works='not functional'
| > rm -rf /tmp/A.java /tmp/A.class
| > echo "public class A { }" > /tmp/A.java
| > if test -e /tmp/A.java; then
| > if "${JAVAC}" /tmp/A.java >/dev/null; then
| > if test -e /tmp/A.class; then
| > javac_works=yes
| > fi
| > fi
| > fi
| > rm -rf /tmp/A.java /tmp/A.class
| > fi
| >
| >
| > rm just before file creation should prevent any symlink attack vectors, no?
|
| No.
Allright, so what is a better way? Use of tempfile(1) or mktemp(1) ?
Dirk
| --
| -----------------------------------------------------------------
| | ,''`. Stephen Gran |
| | : :' : sgran@debian.org |
| | `. `' Debian user, admin, and developer |
| | `- http://www.debian.org |
| -----------------------------------------------------------------
--
Three out of two people have difficulties with fractions.
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496418; Package r-base-core.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Message #25 received at 496418@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This one time, at band camp, Dirk Eddelbuettel said:
>
> On 25 August 2008 at 01:43, Stephen Gran wrote:
> | This one time, at band camp, Dirk Eddelbuettel said:
> | >
> | > This is the same as the one I just answered for r-base-core-ra as
> | > r-base-core-ra is an extension/specialisation of r-base-core.
> | >
> | > So again:
> | >
> | > # test functionality of the compiler
> | > javac_works='not present'
> | > if test -n "$JAVAC"; then
> | > javac_works='not functional'
> | > rm -rf /tmp/A.java /tmp/A.class
> | > echo "public class A { }" > /tmp/A.java
> | > if test -e /tmp/A.java; then
> | > if "${JAVAC}" /tmp/A.java >/dev/null; then
> | > if test -e /tmp/A.class; then
> | > javac_works=yes
> | > fi
> | > fi
> | > fi
> | > rm -rf /tmp/A.java /tmp/A.class
> | > fi
> | >
> | >
> | > rm just before file creation should prevent any symlink attack vectors, no?
> |
> | No.
>
> Allright, so what is a better way? Use of tempfile(1) or mktemp(1) ?
Yes, something like that would be better - the current approach leaves a
small but exploitable race condition. I have no opinion on whether the
race condition matters in practice, of course, but my gut says that the
extra effort to use safe coding practices is so small that it's probably
worth it.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496418; Package r-base-core.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Message #30 received at 496418@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> Yes, something like that would be better - the current approach leaves a > small but exploitable race condition. I have no opinion on whether the > race condition matters in practice, of course, but my gut says that the > extra effort to use safe coding practices is so small that it's probably > worth it. Yes, please fix this for lenny. Thanks! Thijs
[Message part 2 (application/pgp-signature, inline)]
Tags added: confirmed
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 25 Aug 2008 11:18:08 GMT) (full text, mbox, link).
Reply sent to Dirk Eddelbuettel <edd@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #37 received at 496418-close@bugs.debian.org (full text, mbox, reply):
Source: r-base
Source-Version: 2.7.2-1
We believe that the bug you reported is fixed in the latest version of
r-base, which is due to be installed in the Debian FTP archive:
r-base-core-dbg_2.7.2-1_i386.deb
to pool/main/r/r-base/r-base-core-dbg_2.7.2-1_i386.deb
r-base-core_2.7.2-1_i386.deb
to pool/main/r/r-base/r-base-core_2.7.2-1_i386.deb
r-base-dev_2.7.2-1_all.deb
to pool/main/r/r-base/r-base-dev_2.7.2-1_all.deb
r-base-html_2.7.2-1_all.deb
to pool/main/r/r-base/r-base-html_2.7.2-1_all.deb
r-base-latex_2.7.2-1_all.deb
to pool/main/r/r-base/r-base-latex_2.7.2-1_all.deb
r-base_2.7.2-1.diff.gz
to pool/main/r/r-base/r-base_2.7.2-1.diff.gz
r-base_2.7.2-1.dsc
to pool/main/r/r-base/r-base_2.7.2-1.dsc
r-base_2.7.2-1_all.deb
to pool/main/r/r-base/r-base_2.7.2-1_all.deb
r-base_2.7.2.orig.tar.gz
to pool/main/r/r-base/r-base_2.7.2.orig.tar.gz
r-doc-html_2.7.2-1_all.deb
to pool/main/r/r-base/r-doc-html_2.7.2-1_all.deb
r-doc-info_2.7.2-1_all.deb
to pool/main/r/r-base/r-doc-info_2.7.2-1_all.deb
r-doc-pdf_2.7.2-1_all.deb
to pool/main/r/r-base/r-doc-pdf_2.7.2-1_all.deb
r-mathlib_2.7.2-1_i386.deb
to pool/main/r/r-base/r-mathlib_2.7.2-1_i386.deb
r-recommended_2.7.2-1_all.deb
to pool/main/r/r-base/r-recommended_2.7.2-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <edd@debian.org> (supplier of updated r-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 25 Aug 2008 06:37:14 -0500
Source: r-base
Binary: r-base r-base-core r-base-dev r-mathlib r-base-html r-base-latex r-doc-pdf r-doc-html r-doc-info r-recommended r-base-core-dbg
Architecture: source i386 all
Version: 2.7.2-1
Distribution: unstable
Urgency: low
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description:
r-base - GNU R statistical computing language and environment
r-base-core - GNU R core of statistical computing language and environment
r-base-core-dbg - GNU R debug symbols for statistical comp. language and environmen
r-base-dev - GNU R installation of auxiliary GNU R packages
r-base-html - GNU R html docs for statistical computing system functions
r-base-latex - GNU R LaTeX docs for statistical computing system functions
r-doc-html - GNU R html manuals for statistical computing system
r-doc-info - GNU R info manuals statistical computing system
r-doc-pdf - GNU R pdf manuals for statistical computing system
r-mathlib - GNU R standalone mathematics library
r-recommended - GNU R collection of recommended packages [metapackage]
Closes: 496418
Changes:
r-base (2.7.2-1) unstable; urgency=low
.
* New upstream version released a few hours ago
.
* src/scripts/javareconf: Replace use of /tmp with result of
`mktemp -t -d` to avoid symlink attacks (Closes: #496418)
Checksums-Sha1:
e94cb7240e11e1a9b49f0312368a7d234406822e 1664 r-base_2.7.2-1.dsc
0de9f00ae58e67840fc2daab8973d37d97d78535 16466658 r-base_2.7.2.orig.tar.gz
f02349ee14c4fe9bf2bd437ad3870d75d376dfe8 62546 r-base_2.7.2-1.diff.gz
364b58f6f19e50c8e29717fbb2f6d0918c662583 10279602 r-base-core_2.7.2-1_i386.deb
fafe40d3135e91179e695297cd1ca40030204235 497330 r-mathlib_2.7.2-1_i386.deb
1be65bdffd4aea90f5bedc58ad550bb9e6086620 2330102 r-base-core-dbg_2.7.2-1_i386.deb
323e8f670b1fa39dca5d3d4905218ab483a0d474 29764 r-base_2.7.2-1_all.deb
e15840d65a2ead233157c21f5a4fc5edfd5033a5 2920 r-base-dev_2.7.2-1_all.deb
93ce1cb426b658ec6d517df1dc8a6b560d7c3bc8 1286006 r-base-html_2.7.2-1_all.deb
86300486f6f15e9691ec2fc6911e4a5977b9c050 1198618 r-base-latex_2.7.2-1_all.deb
5c649a5f56e5e03704ed442589c6440b8c826852 6698876 r-doc-pdf_2.7.2-1_all.deb
b090751d3e2676e2a906eb85b4d988077c304c36 605704 r-doc-html_2.7.2-1_all.deb
6fde7901b1f4001bf08428b689d7e8973fd24ca0 529346 r-doc-info_2.7.2-1_all.deb
c791fd07562fb0e25d4c431ed3154fa739d0a2af 2192 r-recommended_2.7.2-1_all.deb
Checksums-Sha256:
f488f5ab911168ed501cb24f4ff03c4b9db3fd7fc27500e3f23743354af09fc6 1664 r-base_2.7.2-1.dsc
7184c1f85fafce518e6dbccb5a64ba47a62d8694c7019da0e1c1e83ff98c3ff4 16466658 r-base_2.7.2.orig.tar.gz
7686beec046c6ca9c6b7f6c39af067e925f3e18f7a9636a132f02d5ce503d101 62546 r-base_2.7.2-1.diff.gz
cce084b72909eba25026a07ddbb3ccda5581abe5002a6de50fa9830f74b7133b 10279602 r-base-core_2.7.2-1_i386.deb
dc8a6dcebedc3c2a35d63de5d653cb9d7c396e253010897ba120818532cb4bc7 497330 r-mathlib_2.7.2-1_i386.deb
2b558f12787fe83533e80abc124cbad2ae8b7a708dd4929caf4dd77054e42665 2330102 r-base-core-dbg_2.7.2-1_i386.deb
31195d7bf9dfbc26b592650aa615a7d3cb82799f9c95344390b3a76a8b3044b0 29764 r-base_2.7.2-1_all.deb
07dcee7a5a47c84f6e70bae547e4b98b6fe4f413ea9cab6e7358d6ffa07b785d 2920 r-base-dev_2.7.2-1_all.deb
866aface6305b5d5ed2d2b6ead8c7fc11152c8ffc6a07424749839b95b3c4a29 1286006 r-base-html_2.7.2-1_all.deb
f97ed56aab2052a386e74e50f2c065ce0a0cf49e199c286ab0ccb4df21ea3dd4 1198618 r-base-latex_2.7.2-1_all.deb
c0bb62fcd2fb7e3f67f7f933e8d81fd2c10e118aaecc51ea095544089f04817f 6698876 r-doc-pdf_2.7.2-1_all.deb
d6c3d6bb74372a8c5528160e25440788f61d6e578760996110ed9a1b15584ded 605704 r-doc-html_2.7.2-1_all.deb
acefa4f05ee1a6254306e2626c3c5dc117a491637b23796278faadbf0e4314c5 529346 r-doc-info_2.7.2-1_all.deb
41429c3087745a9c227b25bb54fd6ac13035f8314d027a92ef7239b125abacdd 2192 r-recommended_2.7.2-1_all.deb
Files:
f2221fafdcc825db25c8cfe37342ce27 1664 math optional r-base_2.7.2-1.dsc
6122945e9301825b97a506151b3cefde 16466658 math optional r-base_2.7.2.orig.tar.gz
caba9b66001da8bab2064cffa8f53860 62546 math optional r-base_2.7.2-1.diff.gz
4b0a9696f195b5ac2e94615b6eaeffd8 10279602 math optional r-base-core_2.7.2-1_i386.deb
7794253cd7c6afb7508f0fce05e5e5a0 497330 math optional r-mathlib_2.7.2-1_i386.deb
9868ac74186a81c7948c253a3364c248 2330102 math extra r-base-core-dbg_2.7.2-1_i386.deb
fa2e56c1070320136e9554a6788e1bc4 29764 math optional r-base_2.7.2-1_all.deb
9e670096397d4818970198a1bd3e8143 2920 devel optional r-base-dev_2.7.2-1_all.deb
15b7ae1191a3be7ba6e86852e82a38c6 1286006 math extra r-base-html_2.7.2-1_all.deb
d9cdd9e9207801956a22f35f87c5c927 1198618 math extra r-base-latex_2.7.2-1_all.deb
2ef9201223664722099cb32f383f33aa 6698876 doc optional r-doc-pdf_2.7.2-1_all.deb
eace7538efe0b1f9617b80f8c239c6b1 605704 doc optional r-doc-html_2.7.2-1_all.deb
cdddc6b45569a843846d1a3eef0a577b 529346 doc optional r-doc-info_2.7.2-1_all.deb
a30987f3348ad335c950f4a5f2a9f7e5 2192 math optional r-recommended_2.7.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIspxXCZSR95Gw07cRAqjbAJ9oNFUPMtWj/g6fXfOwlD5OufjTeACfSCJ6
b5NYcqv03kHA+MydWHtd7Js=
=vpg2
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496418; Package r-base-core.
(Tue, 28 Oct 2008 23:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Tue, 28 Oct 2008 23:33:02 GMT) (full text, mbox, link).
Message #42 received at 496418@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, Here's the patch I used for my upload to testing-proposed-updates to address this bug in lenny aswell. cheers, Thijs
[496418.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Tue, 28 Oct 2008 23:54:06 GMT) (full text, mbox, link).
Notification sent
to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(Tue, 28 Oct 2008 23:54:06 GMT) (full text, mbox, link).
Message #47 received at 496418-close@bugs.debian.org (full text, mbox, reply):
Source: r-base
Source-Version: 2.7.1-1+lenny1
We believe that the bug you reported is fixed in the latest version of
r-base, which is due to be installed in the Debian FTP archive:
r-base-core-dbg_2.7.1-1+lenny1_i386.deb
to pool/main/r/r-base/r-base-core-dbg_2.7.1-1+lenny1_i386.deb
r-base-core_2.7.1-1+lenny1_i386.deb
to pool/main/r/r-base/r-base-core_2.7.1-1+lenny1_i386.deb
r-base-dev_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-base-dev_2.7.1-1+lenny1_all.deb
r-base-html_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-base-html_2.7.1-1+lenny1_all.deb
r-base-latex_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-base-latex_2.7.1-1+lenny1_all.deb
r-base_2.7.1-1+lenny1.diff.gz
to pool/main/r/r-base/r-base_2.7.1-1+lenny1.diff.gz
r-base_2.7.1-1+lenny1.dsc
to pool/main/r/r-base/r-base_2.7.1-1+lenny1.dsc
r-base_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-base_2.7.1-1+lenny1_all.deb
r-doc-html_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-doc-html_2.7.1-1+lenny1_all.deb
r-doc-info_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-doc-info_2.7.1-1+lenny1_all.deb
r-doc-pdf_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-doc-pdf_2.7.1-1+lenny1_all.deb
r-mathlib_2.7.1-1+lenny1_i386.deb
to pool/main/r/r-base/r-mathlib_2.7.1-1+lenny1_i386.deb
r-recommended_2.7.1-1+lenny1_all.deb
to pool/main/r/r-base/r-recommended_2.7.1-1+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated r-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 28 Oct 2008 22:38:33 +0000
Source: r-base
Binary: r-base r-base-core r-base-dev r-mathlib r-base-html r-base-latex r-doc-pdf r-doc-html r-doc-info r-recommended r-base-core-dbg
Architecture: source i386 all
Version: 2.7.1-1+lenny1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
r-base - GNU R statistical computing language and environment
r-base-core - GNU R core of statistical computing language and environment
r-base-core-dbg - GNU R debug symbols for statistical comp. language and environmen
r-base-dev - GNU R installation of auxiliary GNU R packages
r-base-html - GNU R html docs for statistical computing system functions
r-base-latex - GNU R LaTeX docs for statistical computing system functions
r-doc-html - GNU R html manuals for statistical computing system
r-doc-info - GNU R info manuals statistical computing system
r-doc-pdf - GNU R pdf manuals for statistical computing system
r-mathlib - GNU R standalone mathematics library
r-recommended - GNU R collection of recommended packages [metapackage]
Closes: 496418
Changes:
r-base (2.7.1-1+lenny1) testing-proposed-updates; urgency=low
.
* Non-maintainer upload.
* Port temp file race in src/scripts/javareconf from 2.7.2-1.
(CVE-2008-3931, closes: 496418)
Checksums-Sha1:
301308037a13a3ede606dbb1351a8cb2140ea00c 1984 r-base_2.7.1-1+lenny1.dsc
ef0bacaee90efabb4bbe74e8d98fbe73a86fbceb 57395 r-base_2.7.1-1+lenny1.diff.gz
db462500f67b4775f17844c01fe99b59b067ca63 10302426 r-base-core_2.7.1-1+lenny1_i386.deb
2998ef65743852a0b410efbbc0c2981a1e4d1fef 493940 r-mathlib_2.7.1-1+lenny1_i386.deb
56b4ef5d3a1e1f3e86bfad0735869a6873640404 2335604 r-base-core-dbg_2.7.1-1+lenny1_i386.deb
28b2865516d38a891200fc88c5fb19485ee0d9f8 29704 r-base_2.7.1-1+lenny1_all.deb
4d257aa61f3791b700570da384c3f86f557c3f3d 2930 r-base-dev_2.7.1-1+lenny1_all.deb
72670fa70916f67ddda93ca017cf687ce30b7da6 1281312 r-base-html_2.7.1-1+lenny1_all.deb
02eed19ed5b3e33d8165f7a50484fe9acefd5a96 1198862 r-base-latex_2.7.1-1+lenny1_all.deb
a3798637fddc4603c75982b0debad6c5a2501cda 6678034 r-doc-pdf_2.7.1-1+lenny1_all.deb
d40a0c098534bbc5dc2e1cf502950ff9b77d4a88 602398 r-doc-html_2.7.1-1+lenny1_all.deb
836953fa076daf4e39fbf7656e8041ec1f9a9569 526484 r-doc-info_2.7.1-1+lenny1_all.deb
080e72485324bd87ce158552ad59235ff8adc254 2208 r-recommended_2.7.1-1+lenny1_all.deb
Checksums-Sha256:
c6b34d83ccd2c4b4220469e6aaa5fdf06b2f203413250be518579b0e9bf97db4 1984 r-base_2.7.1-1+lenny1.dsc
71b3860d10ef327dd31786f74ae80dd7f03e78f725d9029e222f34d51829c7e8 57395 r-base_2.7.1-1+lenny1.diff.gz
49c9b766f0d56d7ba5278dee90886ce62678676346f41620c32ad96c30e11494 10302426 r-base-core_2.7.1-1+lenny1_i386.deb
b15c627780e23a139e845c934c1e77335dbb0e269e397a39a045c7485089e267 493940 r-mathlib_2.7.1-1+lenny1_i386.deb
bcfc9967d2adb65235bc92a568f291394c4bc2662e1bd7cf7f01bb3393d58c6a 2335604 r-base-core-dbg_2.7.1-1+lenny1_i386.deb
719f44bd1024ff7dd018105d7cc2af5edf6593fa75fa6939f4cfcba652e286cb 29704 r-base_2.7.1-1+lenny1_all.deb
0ec6ea35a027c40c5ef77ad3a0a408031b0434a3493ce501af36e446e694d593 2930 r-base-dev_2.7.1-1+lenny1_all.deb
7934018a98893114f7d43fbda1bde0d144bb9095ddea79d99d282ed106857a20 1281312 r-base-html_2.7.1-1+lenny1_all.deb
8e431e2c520bd800c136c587706c995925cfc9f56f05493d3bec885410ca980c 1198862 r-base-latex_2.7.1-1+lenny1_all.deb
79e11b2a7d48e1c2bdcda1563408a35e3a5333cc92bd400ee1a31bee442a8c2d 6678034 r-doc-pdf_2.7.1-1+lenny1_all.deb
cc8477e6f5f7eb85e1798c3576d43df9b61f06c9b6a8fa0757e52a5a57a8f96e 602398 r-doc-html_2.7.1-1+lenny1_all.deb
a0d863a2ac5f658b4bdec2137826122267d2be34378787312e964a9a7b13ce0a 526484 r-doc-info_2.7.1-1+lenny1_all.deb
aa30f93f3622ca71c3b83261fec631fddee886c73be6a3fc61c5d79f91050243 2208 r-recommended_2.7.1-1+lenny1_all.deb
Files:
d93f18938546e44c24b39b769df74c2a 1984 math optional r-base_2.7.1-1+lenny1.dsc
724394b4591180a4f21391fea7002112 57395 math optional r-base_2.7.1-1+lenny1.diff.gz
592e84356874fd5cba915de780910370 10302426 math optional r-base-core_2.7.1-1+lenny1_i386.deb
cb9f8fc65d8d77f91a738038e569a1b3 493940 math optional r-mathlib_2.7.1-1+lenny1_i386.deb
f85728833a637a44c103691bbe896e1b 2335604 math extra r-base-core-dbg_2.7.1-1+lenny1_i386.deb
443d7ac72283805c4c7e45b1a03ceb27 29704 math optional r-base_2.7.1-1+lenny1_all.deb
d87f680006503844c8132b6264b3ec06 2930 devel optional r-base-dev_2.7.1-1+lenny1_all.deb
8051cf9672ac6f30856de9096f2ce5cf 1281312 math extra r-base-html_2.7.1-1+lenny1_all.deb
a0e7202715799bbaa6da7ff23bf20b21 1198862 math extra r-base-latex_2.7.1-1+lenny1_all.deb
3953f092ff57a3d30558e591b8b5f7d4 6678034 doc optional r-doc-pdf_2.7.1-1+lenny1_all.deb
87548e040e8f679ebf970b0e008c8fe1 602398 doc optional r-doc-html_2.7.1-1+lenny1_all.deb
60818fc16517a3a4da9f081f1beee280 526484 doc optional r-doc-info_2.7.1-1+lenny1_all.deb
9e81f875b304c5fead55621b364b24de 2208 math optional r-recommended_2.7.1-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSQedd2z0hbPcukPfAQLCNgf+KEDfAa08rdcEGJPj19OdNMq+Ek9nJGsb
Iz+QxnzxLJSMiqChvl8T1DVY8w1So8SC0TvoOR7q7OcMbHeNL2FtMRqJGUHkoE3b
FaBtKnPqm0evSf4EMm+N6JDmfHRYtoCKZ8850/CZpSxKeJA62cg4yuy0tDiD/yiG
RaTGykP2qAr8kucz1PU9tqEBqjMz6dvwFJ4VG7j9YVx0MSzhpEJ+pjeqB3BeegKD
ozMgzoNsC5/aoYxEtmJfZRWM26X/yvhd6ql+Ia0HWNfFGyVk0gn+Ob6Sm0VxDrJF
eyF/xJ6PY966Ic3ADccFLz6dZkpNc+bplXPlEILuSv7bLnl4dAGZHg==
=VlFE
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#496418; Package r-base-core.
(Wed, 29 Oct 2008 03:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>:
Extra info received and forwarded to list.
(Wed, 29 Oct 2008 03:18:02 GMT) (full text, mbox, link).
Message #52 received at 496418@bugs.debian.org (full text, mbox, reply):
Thijs,
On 29 October 2008 at 00:31, Thijs Kinkhorst wrote:
| Hi,
|
| Here's the patch I used for my upload to testing-proposed-updates to address
| this bug in lenny aswell.
Thanks for doing that, I really appreciate it.
May I ask two questionWhat I don't understand is
i) why didn't my 2.7.1-2 with the timely initial patch get through? Should
I have uploaded to t-p-u ?
ii) why didn't you ping me? I could have taken this load off your shoulders.
Anyway, good to see it fixed.
Cheers, Dirk
--
Three out of two people have difficulties with fractions.
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>:
Bug#496418; Package r-base-core.
(Wed, 29 Oct 2008 20:09:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(Wed, 29 Oct 2008 20:09:24 GMT) (full text, mbox, link).
Message #57 received at 496418@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Dirk, On Wednesday 29 October 2008 04:15, Dirk Eddelbuettel wrote: > i) why didn't my 2.7.1-2 with the timely initial patch get through? > Should I have uploaded to t-p-u ? I'm not sure, it's a bit hard to reproduce now what factors caused that at that time. > ii) why didn't you ping me? I could have taken this load off your > shoulders. I just had a bit of time to fix an RC bug, so I went ahead and took one which went unfixed for a prolonged period of time. cheers, Thijs
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 07:51:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.