[Bug 1023960] Re: (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug
Jamie Strandboge
jamie at ubuntu.com
Fri Jul 13 20:04:50 UTC 2012
** Changed in: automake (Ubuntu)
Status: New => Triaged
** Changed in: automake (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to automake in Ubuntu.
https://bugs.launchpad.net/bugs/1023960
Title:
(CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make
distcheck" bug
Status in “automake” package in Ubuntu:
Triaged
Status in “automake” package in Debian:
Unknown
Status in “automake” package in Fedora:
Unknown
Bug description:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.
This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.
The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.
Version-Release number of selected component (if applicable):
everything prior to v1.12.1-214-g15b8b62
How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/+subscriptions
More information about the foundations-bugs
mailing list