Bug 542609 (CVE-2009-4029)
| Summary: | CVE-2009-4029 Automake: Race condition by creation of "distdir" based directory hierarchy | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bressers, karsten, kreilly, meyering, mikem, mjc, rstrode, security-response-team, tao, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-08-04 19:56:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 542870, 542871, 542872, 542873, 542874, 543387, 543388, 543389, 543390, 543391, 543392, 543393, 543394, 543395, 543396, 543397, 543398, 543399, 543400, 543403, 543404, 543405, 543406, 545629, 545630, 545631, 545632, 545633, 563434, 563435, 563436 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2009-11-30 10:57:10 UTC
This issue affects the versions of the automake package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the automake package, as shipped with Fedora release of 10, 11, and 12. This is CVE-2009-4029. This is now public and fixed upstream in 1.11.1: http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html automake-1.11.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake-1.11.1-1.fc12 automake-1.11.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. FYI, more details appeared in this announcement: http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131 automake-1.11.1-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. automake15-1.5-29.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12 automake15-1.5-29.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11 Jim's post mentioning a safety check added to gnu.org to prevent uploads of new tarballs with unfixed Makefiles: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/127673 Affected Makefile targets (thanks to Jim for assembling the list): dist distcheck dist-gzip dist-bzip2 dist-lzma dist-xz dist-tarZ dist-shar dist-zip Some dist-* targets may not be supported by older automake versions. Upstream commits: 1.11: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1.11&id=efb6899421e6a581445c3ed9ee7ff768975489ef 1.7: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-7&id=39a251ea236c055aa93781bf90ebc526c2345217 1.6: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-6&id=e30bf87d9b0503a5e1a7d400597a63502b9a74e5 1.5: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-5&id=b1c42762931e9cd03aee3e4b4284dc2920c9eabc 1.4: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-4&id=449d20aa12e13fefd848604225fc83d0c39c61d0 Permission 777 on directories inside distribution tarballs was required by GNU Coding Standards for backwards compatibility with old tar versions. As a follow-up to this issue, GNU Coding standards were updated to recommend 755 now: http://savannah.gnu.org/forum/forum.php?forum_id=6084 http://cvs.savannah.gnu.org/viewvc/gnustandards/standards.texi?root=gnustandards&view=log#rev1.190 http://www.gnu.org/prep/standards/html_node/Releases.html Make sure that all the files in the distribution are world-readable, and that directories are world-readable and world-searchable (octal mode 755). We used to recommend that all directories in the distribution also be world- writable (octal mode 777), because ancient versions of tar would otherwise not cope when extracting the archive as an unprivileged user. That can easily lead to security issues when creating the archive, however, so now we recommend against that. automake15-1.5-29.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12.1 automake15-1.5-29.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11.1 automake16-1.6.3-18.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc12.1 automake16-1.6.3-18.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc11.1 automake17-1.7.9-13.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc12.1 automake17-1.7.9-13.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc11.1 automake16-1.6.3-18.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. automake15-1.5-29.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. automake14-1.4p6-20.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. automake17-1.7.9-13.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. automake15-1.5-29.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. automake17-1.7.9-13.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. automake16-1.6.3-18.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. automake14-1.4p6-20.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0321 https://rhn.redhat.com/errata/RHSA-2010-0321.html This has been fixed. |