GNU Automake 1.12.2 as well as 1.11.6 fix a locally-exploitable security-related race condition that affects "make distcheck" for all packages that use Automake.
Before the fix, the recipe of the 'distcheck' target granted temporary world-write permissions on the extracted distdir. This introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that was accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck". It is important to stress that this vulnerability impacts not only the Automake package itself, but all packages with Automake-generated makefiles. For an effective fix it is necessary to regenerate the Makefile.in files with a fixed Automake version. For release series older than 1.11.x, no fix has been been applied to the the git repository, and no official new release is planned that fixes the vulnerability. Users interested in having such a fix in older releases will have to apply it manually (the attached patch is what we used on the 1.11.6 and 1.12.2 release). The issue was found and fixed by Stefano Lattarini. Jim Meyering wrote a proof-of-concept script showing that the vulnerability is easy to exploit.
>From bab7065f75bb9680df8c782da06a8312e5fa95a6 Mon Sep 17 00:00:00 2001 Message-Id: <bab7065f75bb9680df8c782da06a8312e5fa95a6.1341851067.git.stefano.lattar...@gmail.com> From: Stefano Lattarini <stefano.lattar...@gmail.com> Date: Fri, 6 Jul 2012 22:43:04 +0200 Subject: [PATCH] distcheck: never make part of $(distdir) world-writable This fixes a locally-exploitable security vulnerability (CVE-2012-3386). In the 'distcheck' rule, we used to make the just-extracted (from the distribution tarball) $(distdir) directory and all its files and subdirectories read-only; then, in order to create the '_inst' and '_build' subdirectories in there (used by the rest of the recipe) we made the top-level $(distdir) *world-writable* for an instant (the time to create those two directories) before making it read-only again. Making that directory world-writable (albeit only briefly) introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that is accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck" -- game over. Jim Meyering wrote a proof-of-concept script showing that such exploit is easily implemented. This issue is similar to the CVE-2009-4029 vulnerability: <http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html> * lib/am/distdir.am (distcheck): Don't make $(distdir) world-writable, not even for an instant; make it user-writable instead, which is enough. Helped-By: Jim Meyering <j...@meyering.net> Signed-off-by: Stefano Lattarini <stefano.lattar...@gmail.com> --- NEWS | 9 +++++++++ lib/am/distdir.am | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index ee16961..4975e8e 100644 --- a/NEWS +++ b/NEWS @@ -92,6 +92,15 @@ New in 1.12.2: Bugs fixed in 1.12.2: +* SECURITY VULNERABILITIES! + + - The recipe of the 'distcheck' no longer grants anymore temporary + world-wide write permissions on the extracted distdir. Even if such + rights were only granted for a vanishingly small time window, the + implied race condition proved to be enough to allow a local attacker + to run arbitrary code with the privileges of the user running "make + distcheck". This is CVE-2012-3386. + * Long-standing bugs: - The "recheck" targets behaves better in the face of build failures diff --git a/lib/am/distdir.am b/lib/am/distdir.am index e27b650..f636a1e 100644 --- a/lib/am/distdir.am +++ b/lib/am/distdir.am @@ -449,7 +449,7 @@ distcheck: dist ## Make the new source tree read-only. Distributions ought to work in ## this case. However, make the top-level directory writable so we ## can make our new subdirs. - chmod -R a-w $(distdir); chmod a+w $(distdir) + chmod -R a-w $(distdir); chmod u+w $(distdir) mkdir $(distdir)/_build mkdir $(distdir)/_inst ## Undo the write access. -- 1.7.9.5
