[Bug 1023960] [NEW] (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug

karma Thu, 12 Jul 2012 09:11:02 -0700

*** This bug is a security vulnerability ***

Public security bug reported:


Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.

This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

Version-Release number of selected component (if applicable):
 everything prior to v1.12.1-214-g15b8b62

How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.

http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572

** Affects: automake (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: automake (Debian)
     Importance: Unknown
         Status: Unknown

** Affects: automake (Fedora)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #681097
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681097

** Also affects: automake (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681097
   Importance: Unknown
       Status: Unknown

** Bug watch added: Red Hat Bugzilla #838286
   https://bugzilla.redhat.com/show_bug.cgi?id=838286

** Also affects: automake (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=838286
   Importance: Unknown
       Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3386

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1023960

Title:
  (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make
  distcheck" bug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1023960] [NEW] (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug

Reply via email to