Launchpad has imported 16 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=838286.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2012-07-08T09:29:01+00:00 Jim wrote: Description of problem: Stefano Lattarini discovered a vulnerability in automake that is much like the one that prompted CVE-2009-4029: automake's distcheck rule makes distdir briefly world-writable. Stefano also wrote the patch below. This bug is slightly more limited because it affects only the "make distcheck" rule, while CVE-2009-4029 affected all dist* rules. The point is that with these temporarily-relaxed directory permissions, an attacker can cause the person running "make distcheck" in an attacker- accessible (o+rx, or possibly only o+x) directory to run arbitrary code. Version-Release number of selected component (if applicable): everything prior to v1.12.1-214-g15b8b62 How reproducible: The directory is world-writable only briefly, but the flaw is exploitable. Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/0 ------------------------------------------------------------------------ On 2012-07-08T09:34:27+00:00 Jim wrote: Created attachment 596864 planned fix Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/1 ------------------------------------------------------------------------ On 2012-07-08T09:47:17+00:00 Jim wrote: FYI, Stefano wrote: "git blame" tells me that the offending "chmod a+w" command has been there (ignoring trivial changes and code movements) since almost "forever" (at least since commit 6a60072d, where configure.in defines an Automake version of 1.4a). Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/2 ------------------------------------------------------------------------ On 2012-07-08T09:48:11+00:00 Jim wrote: Stefano plans to release fixed automake in the next day or so. Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/3 ------------------------------------------------------------------------ On 2012-07-09T07:59:11+00:00 Stefan wrote: Thank you very much for reporting this. Do you need a new CVE for this, or is there already a CVE request/assignment in progress? Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/4 ------------------------------------------------------------------------ On 2012-07-09T08:05:25+00:00 Jim wrote: Yes, please. If you can give us a CVE number, that'd be welcome. Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/5 ------------------------------------------------------------------------ On 2012-07-09T08:25:35+00:00 Stefan wrote: (In reply to comment #5) > Yes, please. If you can give us a CVE number, that'd be welcome. Please use CVE-2012-3386 for this issue. Thanks! Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/6 ------------------------------------------------------------------------ On 2012-07-09T16:38:50+00:00 Jim wrote: The patch/bug are now public: http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572 In addition, GNU Automake 1.12.2 (with this fix) has been released. Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/7 ------------------------------------------------------------------------ On 2012-07-09T17:50:43+00:00 Vincent wrote: Created automake17 tracking bugs for this issue Affects: fedora-all [bug 838661] Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/8 ------------------------------------------------------------------------ On 2012-07-09T17:50:45+00:00 Vincent wrote: Created automake tracking bugs for this issue Affects: fedora-all [bug 838660] Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/9 ------------------------------------------------------------------------ On 2012-07-10T05:48:48+00:00 Stefan wrote: Fixed upstream in GIT and versions 1.11.6 and 1.12.2. References: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76 https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/10 ------------------------------------------------------------------------ On 2013-02-20T03:49:51+00:00 Murray wrote: Acknowledgements: Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter. Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/12 ------------------------------------------------------------------------ On 2013-02-21T11:04:32+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0526 https://rhn.redhat.com/errata/RHSA-2013-0526.html Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/13 ------------------------------------------------------------------------ On 2013-02-22T04:44:09+00:00 Huzaifa wrote: Statement: This issue affects the version of automake15, automake16 and automake17 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of automake15 and automake16 as shipped with Red Hat Enterprise Linux 6. A future update may address this flaw in various affected versions of automake. Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/14 ------------------------------------------------------------------------ On 2014-08-26T08:02:40+00:00 Martin wrote: IssueDescription: It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck". Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/15 ------------------------------------------------------------------------ On 2014-09-16T05:29:42+00:00 errata-xmlrpc wrote: This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1243 https://rhn.redhat.com/errata/RHSA-2014-1243.html Reply at: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/16 ** Changed in: automake (Fedora) Status: Unknown => Fix Released ** Changed in: automake (Fedora) Importance: Unknown => Low ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4029 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1023960 Title: (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
