View previous topic :: View next topic |
Author |
Message |
dufeu l33t
Joined: 30 Aug 2002 Posts: 924 Location: US-FL-EST
|
Posted: Mon Oct 15, 2012 2:15 am Post subject: jaxen-1.1.4 potential security issue in portage? [RESOLVED] |
|
|
In the process of doing a world update, I encountered a message I've never seen before.
The package is 'jaxen-1.1.4' and it failed for the following: Code: | BUILD FAILED
/var/tmp/portage/dev-java/jaxen-1.1.4/work/jaxen-1.1.4/build.xml:29: Directory /root/.maven/repository creation was not successful for an unknown reason |
I've never seen any ebuild try to create a hidden work directory under /root before.
The package was version bumped earlier today {from 1.1.1 to 1.1.4}.
Perhaps a developer might want to give this some closer attention. It's Bug #438400 - dev-java/jaxen-1.1.4 fails creation of suspicious directory: /root/.maven/repository
At least one other person seems to have encountered this.
Disclaimer: I'm not a developer. I'm not a programmer. I don't play one on TV.
Thank you.
edit Fixed in CVS as per above bug report _________________ People whom think M$ is mediocre, don't know the half of it.
Last edited by dufeu on Mon Oct 15, 2012 7:27 pm; edited 1 time in total |
|
Back to top |
|
|
avx Advocate
Joined: 21 Jun 2004 Posts: 2152
|
Posted: Mon Oct 15, 2012 2:39 am Post subject: |
|
|
Don't know anything java, but this is in jaxen-1.1.4_maven1-build.xml linked from https://bugs.gentoo.org/show_bug.cgi?id=426384
Code: | <property name="libdir" value="${user.home}/.maven/repository"></property> |
Edit, for the future, if you think something has security implications, you might want to rate the bug higher than 'normal'. _________________ ++++++++++[>+++++++>++++++++++>+++>+<<<<-]>++.>+.+++++++..+++.>++.<<+++++++++++++++.>.+++.------.--------.>+.>. |
|
Back to top |
|
|
dufeu l33t
Joined: 30 Aug 2002 Posts: 924 Location: US-FL-EST
|
Posted: Mon Oct 15, 2012 2:49 am Post subject: |
|
|
avx wrote: | Don't know anything java, but this is in jaxen-1.1.4_maven1-build.xml linked from https://bugs.gentoo.org/show_bug.cgi?id=426384
Code: | <property name="libdir" value="${user.home}/.maven/repository"></property> |
Edit, for the future, if you think something has security implications, you might want to rate the bug higher than 'normal'. |
My initial concern was simply to see if I needed this new version. 'equery' showed that version 1.1.1 was acceptable so I masked it and reported it as I would normally report any other borked ebuild.
It wasn't until just a little while ago that it occurred to me that any attempt to create a hidden directoy under /root should be regarded with a bit more suspicion.
While it is probably more likely that this is a temporary directory that the patch submitter forgot about {I also referenced the version bump bug in my bug report}, I'm not qualified nor authorized to make that determination.
And you're correct, I should have submitted this with a higher criticality level than 'normal'.
edit Raised the importance level to 'high' until someone can determine if this is simply the patch submitter being forgetful or if this has actual security implications. _________________ People whom think M$ is mediocre, don't know the half of it. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|