Microsoft fixed yesterday a faulty Debian package that was playing with users’ operating system settings during its installation routine.
The faulty package that caused all the problems was Open R v3.5. Open R is an improved version of the R programming language maintained by Microsoft.
According to Norbert Preining, a mathematician living in Japan, version 3.5 of Microsoft’s Debian package for Open R contained an insecure installation and uninstall scripts that modified the configuration of the entire system, a big no in the Linux package arena.
Defective packages reloaded Bash
The faulty package was forcibly re-linked /bin/sh to /bin/bin/bash, which would be a problem if users had re-linked /bin/ sh to another shell, such as the script, which would have caused the user’s local settings to be overwritten.
In addition, the package also forcibly removed /usr/bin/ R and /usr/bin/Rscript without verifying whether this was the path to the R language version that the package was supposed to operate with. This would also be a problem if the user had installed different versions of the R language on the same computer.
Preining informed the Microsoft team of the problems on Monday through the company’s forum. The Microsoft R team released a review yesterday. The revision has been incorporated into the Open R Debian package. The version number remains the same, which means that users will have to re-download and install the package.
Microsoft: I’m sorry!
“While we worked hard to be a good steward of all the open source communities in which we participated, it did not meet the high expectations of the community,” said a Microsoft spokesperson.
“We have implemented processes to help us solve these types of problems as soon as they are discovered (this problem was identified in 2016 but not solved) and named people have been identified to monitor and address any problems as soon as possible. We are fortunate that Microsoft has many experienced Linux contributors in our company, and we will do our best to get their contribution in the future,” added Microsoft.
Translated with www.DeepL.com/Translator