Hi, Here's the patch I used for my upload to testing-proposed-updates to address this bug in lenny aswell.
cheers, Thijs
diff -u r-base-2.7.1/debian/changelog r-base-2.7.1/debian/changelog
--- r-base-2.7.1/debian/changelog
+++ r-base-2.7.1/debian/changelog
@@ -1,3 +1,11 @@
+r-base (2.7.1-1+lenny1) testing-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Port temp file race in src/scripts/javareconf from 2.7.2-1.
+ (CVE-2008-3931, closes: 496418)
+
+ -- Thijs Kinkhorst <[EMAIL PROTECTED]> Tue, 28 Oct 2008 22:38:33 +0000
+
r-base (2.7.1-1) unstable; urgency=low
* New upstream version released a few hours ago
@@ -2006 +2014 @@
-
\ No newline at end of file
+
only in patch2:
unchanged:
--- r-base-2.7.1.orig/src/scripts/javareconf
+++ r-base-2.7.1/src/scripts/javareconf
@@ -125,16 +125,28 @@
javac_works='not present'
if test -n "$JAVAC"; then
javac_works='not functional'
- rm -rf /tmp/A.java /tmp/A.class
- echo "public class A { }" > /tmp/A.java
- if test -e /tmp/A.java; then
- if "${JAVAC}" /tmp/A.java >/dev/null; then
- if test -e /tmp/A.class; then
+# tempdir=`mktemp -d`
+
+ : ${TMPDIR=/tmp}
+ { tempdir=`(mktemp -d -q "${TMPDIR}/RJRECONF.XXXXXX") 2>/dev/null` \
+ && test -n "${tempdir}" && test -d "${tempdir}" ; } ||
+ { test -n "${RANDOM}" && tempdir=${TMPDIR}/RJRECONF$$-${RANDOM} \
+ && (mkdir "${tempdir}") ; } ||
+ { tempdir=${TMPDIR}/RJRECONF.$$-`date +%m%d%H%M%S` \
+ && (mkdir "${tempdir}"); } ||
+ { tempdir=${TMPDIR}/RJRECONF.$$ && (mkdir "${tempdir}") ; } ||
+ (error "cannot create temporary directory" && exit 1)
+
+ echo "public class A { }" > ${tempdir}/A.java
+ if test -e ${tempdir}/A.java; then
+ if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
+ if test -e ${tempdir}/A.class; then
javac_works=yes
fi
fi
fi
- rm -rf /tmp/A.java /tmp/A.class
+ rm -rf ${tempdir}
+
fi
if test "${javac_works}" = yes; then
echo "Java compiler : ${JAVAC}"
pgpTRKBZnVf1J.pgp
Description: PGP signature
