[Rd] Security issue with javareconf script (PR#12636)

[tcallawa at redhat.com]

Full_Name: Tom Callaway
Version: 2.7.2
OS: Fedora 10 (Linux/x86_64)
Submission from: (NULL) (96.233.67.230)


Recently, Debian identified a security issue with the javareconf script in R. I
confirmed that this is still unfixed in R 2.7.2.

The following patch resolves the issue:

diff -up R-2.7.2/src/scripts/javareconf.BAD R-2.7.1/src/scripts/javareconf
--- R-2.7.2/src/scripts/javareconf.BAD  2008-08-29 11:04:21.000000000 -0400
+++ R-2.7.2/src/scripts/javareconf	2008-08-29 11:05:34.000000000 -0400
@@ -125,16 +125,17 @@ fi
 javac_works='not present'
 if test -n "$JAVAC"; then
     javac_works='not functional'
-    rm -rf /tmp/A.java /tmp/A.class
-    echo "public class A { }" > /tmp/A.java
-    if test -e /tmp/A.java; then
-	if "${JAVAC}" /tmp/A.java >/dev/null; then
-           if test -e /tmp/A.class; then
+    tempdir=`mktemp -d`
+    echo "public class A { }" > ${tempdir}/A.java
+    if test -e ${tempdir}/A.java; then
+	if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
+           if test -e ${tempdir}/A.class; then
                javac_works=yes
            fi
	fi
     fi
-    rm -rf /tmp/A.java /tmp/A.class
+    rm -rf ${tempdir}
+
 fi
 if test "${javac_works}" = yes; then
     echo "Java compiler    : ${JAVAC}"