R: Insecure temporary file creation — GLSA 200809-13

R is vulnerable to symlink attacks due to an insecure usage of temporary files.

Affected Packages

dev-lang/R on all architectures
Affected versions < 2.7.1
Unaffected versions >= 2.7.1

Background

R is a GPL licensed implementation of S, a language and environment for statistical computing and graphics.

Description

Dmitry E. Oboukhov reported that the "javareconf" script uses temporary files in an insecure manner.

Impact

A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All R users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/R-2.7.1"

References

Release Date
September 22, 2008

Latest Revision
September 22, 2008: 01

Severity
normal

Exploitable
local

Bugzilla entries