[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2012-3386 Automake security fix for 'make distcheck'

From: Stefano Lattarini
Subject: CVE-2012-3386 Automake security fix for 'make distcheck'
Date: Mon, 09 Jul 2012 18:26:01 +0200

GNU Automake 1.12.2 as well as 1.11.6 fix a locally-exploitable
security-related race condition that affects "make distcheck" for
all packages that use Automake.

Before the fix, the recipe of the 'distcheck' target granted temporary
world-write permissions on the extracted distdir.  This introduced
a locally exploitable race condition for those who run "make distcheck"
with a non-restrictive umask (e.g., 022) in a directory that was
accessible by others.  A successful exploit would result in arbitrary
code execution with the privileges of the user running "make distcheck".

It is important to stress that this vulnerability impacts not only
the Automake package itself, but all packages with Automake-generated
makefiles.  For an effective fix it is necessary to regenerate the files with a fixed Automake version.

For release series older than 1.11.x, no fix has been been applied to
the the git repository, and no official new release is planned that
fixes the vulnerability.  Users interested in having such a fix in
older releases will have to apply it manually (the attached patch is
what we used on the 1.11.6 and 1.12.2 release).

The issue was found and fixed by Stefano Lattarini.  Jim Meyering
wrote a proof-of-concept script showing that the vulnerability is
easy to exploit.

Attachment: 0001-distcheck-never-make-part-of-distdir-world-writable.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]