Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
jaxen-1.1.4 potential security issue in portage? [RESOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dufeu
l33t
l33t


Joined: 30 Aug 2002
Posts: 924
Location: US-FL-EST

PostPosted: Mon Oct 15, 2012 2:15 am    Post subject: jaxen-1.1.4 potential security issue in portage? [RESOLVED] Reply with quote

In the process of doing a world update, I encountered a message I've never seen before.

The package is 'jaxen-1.1.4' and it failed for the following:
Code:
BUILD FAILED
/var/tmp/portage/dev-java/jaxen-1.1.4/work/jaxen-1.1.4/build.xml:29: Directory /root/.maven/repository creation was not successful for an unknown reason

I've never seen any ebuild try to create a hidden work directory under /root before.

The package was version bumped earlier today {from 1.1.1 to 1.1.4}.

Perhaps a developer might want to give this some closer attention. It's Bug #438400 - dev-java/jaxen-1.1.4 fails creation of suspicious directory: /root/.maven/repository

At least one other person seems to have encountered this.

Disclaimer: I'm not a developer. I'm not a programmer. I don't play one on TV.

Thank you.

edit Fixed in CVS as per above bug report
_________________
People whom think M$ is mediocre, don't know the half of it.


Last edited by dufeu on Mon Oct 15, 2012 7:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2152

PostPosted: Mon Oct 15, 2012 2:39 am    Post subject: Reply with quote

Don't know anything java, but this is in jaxen-1.1.4_maven1-build.xml linked from https://bugs.gentoo.org/show_bug.cgi?id=426384
Code:
<property name="libdir" value="${user.home}/.maven/repository"></property>


Edit, for the future, if you think something has security implications, you might want to rate the bug higher than 'normal'.
_________________
++++++++++[>+++++++>++++++++++>+++>+<<<<-]>++.>+.+++++++..+++.>++.<<+++++++++++++++.>.+++.------.--------.>+.>.
Back to top
View user's profile Send private message
dufeu
l33t
l33t


Joined: 30 Aug 2002
Posts: 924
Location: US-FL-EST

PostPosted: Mon Oct 15, 2012 2:49 am    Post subject: Reply with quote

avx wrote:
Don't know anything java, but this is in jaxen-1.1.4_maven1-build.xml linked from https://bugs.gentoo.org/show_bug.cgi?id=426384
Code:
<property name="libdir" value="${user.home}/.maven/repository"></property>


Edit, for the future, if you think something has security implications, you might want to rate the bug higher than 'normal'.

My initial concern was simply to see if I needed this new version. 'equery' showed that version 1.1.1 was acceptable so I masked it and reported it as I would normally report any other borked ebuild.

It wasn't until just a little while ago that it occurred to me that any attempt to create a hidden directoy under /root should be regarded with a bit more suspicion.

While it is probably more likely that this is a temporary directory that the patch submitter forgot about {I also referenced the version bump bug in my bug report}, I'm not qualified nor authorized to make that determination.

And you're correct, I should have submitted this with a higher criticality level than 'normal'.

edit Raised the importance level to 'high' until someone can determine if this is simply the patch submitter being forgetful or if this has actual security implications.
_________________
People whom think M$ is mediocre, don't know the half of it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum