[Bug 1023960] [NEW] (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug

karma 1023960 at bugs.launchpad.net
Thu Jul 12 15:58:47 UTC 2012 

*** This bug is a security vulnerability ***

Public security bug reported:

Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.

This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

Version-Release number of selected component (if applicable):
 everything prior to v1.12.1-214-g15b8b62

How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.

http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572

** Affects: automake (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: automake (Debian)
     Importance: Unknown
         Status: Unknown

** Affects: automake (Fedora)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #681097
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681097

** Also affects: automake (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681097
   Importance: Unknown
       Status: Unknown

** Bug watch added: Red Hat Bugzilla #838286
   https://bugzilla.redhat.com/show_bug.cgi?id=838286

** Also affects: automake (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=838286
   Importance: Unknown
       Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3386

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to automake in Ubuntu.
https://bugs.launchpad.net/bugs/1023960

Title:
  (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make
  distcheck" bug

Status in “automake” package in Ubuntu:
  New
Status in “automake” package in Debian:
  Unknown
Status in “automake” package in Fedora:
  Unknown

Bug description:
  Stefano Lattarini discovered a vulnerability in automake
  that is much like the one that prompted CVE-2009-4029:
  automake's distcheck rule makes distdir briefly world-writable.
  Stefano also wrote the patch below.

  This bug is slightly more limited because it affects only the
  "make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

  The point is that with these temporarily-relaxed directory permissions,
  an attacker can cause the person running "make distcheck" in an attacker-
  accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

  Version-Release number of selected component (if applicable):
   everything prior to v1.12.1-214-g15b8b62

  How reproducible:
  The directory is world-writable only briefly, but the flaw is
  exploitable.

  http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/+subscriptions

More information about the foundations-bugs mailing list