We had just recently bumped up the Autotools triple used to create the trunk and v1.7 tarballs to include Automake 1.12.1. Due to the notice below, I have bumped it up to 1.12.2. Nightly tarballs starting tonight will use this new version.
I have also patched the Automake that is being used to generate the v1.6 tarballs (1.11.3) per the notice below. Nightly tarballs starting tonight will use this patched version. Since we are no longer generating tarballs for versions older than v1.6, I do not intend to patch any further versions of Automake, nor generate any new versions of older OMPI tarballs. Begin forwarded message: > From: Stefano Lattarini <stefano.lattar...@gmail.com> > Subject: CVE-2012-3386 Automake security fix for 'make distcheck' > Date: July 9, 2012 12:26:01 PM EDT > To: Automake List <autom...@gnu.org> > Cc: <info-...@gnu.org>, <autotools-annou...@gnu.org> > > GNU Automake 1.12.2 as well as 1.11.6 fix a locally-exploitable > security-related race condition that affects "make distcheck" for > all packages that use Automake. > > Before the fix, the recipe of the 'distcheck' target granted temporary > world-write permissions on the extracted distdir. This introduced > a locally exploitable race condition for those who run "make distcheck" > with a non-restrictive umask (e.g., 022) in a directory that was > accessible by others. A successful exploit would result in arbitrary > code execution with the privileges of the user running "make distcheck". > > It is important to stress that this vulnerability impacts not only > the Automake package itself, but all packages with Automake-generated > makefiles. For an effective fix it is necessary to regenerate the > Makefile.in files with a fixed Automake version. > > For release series older than 1.11.x, no fix has been been applied to > the the git repository, and no official new release is planned that > fixes the vulnerability. Users interested in having such a fix in > older releases will have to apply it manually (the attached patch is > what we used on the 1.11.6 and 1.12.2 release). > > The issue was found and fixed by Stefano Lattarini. Jim Meyering > wrote a proof-of-concept script showing that the vulnerability is > easy to exploit. >
From bab7065f75bb9680df8c782da06a8312e5fa95a6 Mon Sep 17 00:00:00 2001 Message-Id: <bab7065f75bb9680df8c782da06a8312e5fa95a6.1341851067.git.stefano.lattar...@gmail.com> From: Stefano Lattarini <stefano.lattar...@gmail.com> List-Post: devel@lists.open-mpi.org Date: Fri, 6 Jul 2012 22:43:04 +0200 Subject: [PATCH] distcheck: never make part of $(distdir) world-writable This fixes a locally-exploitable security vulnerability (CVE-2012-3386). In the 'distcheck' rule, we used to make the just-extracted (from the distribution tarball) $(distdir) directory and all its files and subdirectories read-only; then, in order to create the '_inst' and '_build' subdirectories in there (used by the rest of the recipe) we made the top-level $(distdir) *world-writable* for an instant (the time to create those two directories) before making it read-only again. Making that directory world-writable (albeit only briefly) introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that is accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck" -- game over. Jim Meyering wrote a proof-of-concept script showing that such exploit is easily implemented. This issue is similar to the CVE-2009-4029 vulnerability: <http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html> * lib/am/distdir.am (distcheck): Don't make $(distdir) world-writable, not even for an instant; make it user-writable instead, which is enough. Helped-By: Jim Meyering <j...@meyering.net> Signed-off-by: Stefano Lattarini <stefano.lattar...@gmail.com> --- NEWS | 9 +++++++++ lib/am/distdir.am | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index ee16961..4975e8e 100644 --- a/NEWS +++ b/NEWS @@ -92,6 +92,15 @@ New in 1.12.2: Bugs fixed in 1.12.2: +* SECURITY VULNERABILITIES! + + - The recipe of the 'distcheck' no longer grants anymore temporary + world-wide write permissions on the extracted distdir. Even if such + rights were only granted for a vanishingly small time window, the + implied race condition proved to be enough to allow a local attacker + to run arbitrary code with the privileges of the user running "make + distcheck". This is CVE-2012-3386. + * Long-standing bugs: - The "recheck" targets behaves better in the face of build failures diff --git a/lib/am/distdir.am b/lib/am/distdir.am index e27b650..f636a1e 100644 --- a/lib/am/distdir.am +++ b/lib/am/distdir.am @@ -449,7 +449,7 @@ distcheck: dist ## Make the new source tree read-only. Distributions ought to work in ## this case. However, make the top-level directory writable so we ## can make our new subdirs. - chmod -R a-w $(distdir); chmod a+w $(distdir) + chmod -R a-w $(distdir); chmod u+w $(distdir) mkdir $(distdir)/_build mkdir $(distdir)/_inst ## Undo the write access. -- 1.7.9.5
> -- Jeff Squyres jsquy...@cisco.com For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/
