Bug 542609 (CVE-2009-4029)

Summary: CVE-2009-4029 Automake: Race condition by creation of "distdir" based directory hierarchy
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, karsten, kreilly, meyering, mikem, mjc, rstrode, security-response-team, tao, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=redhat,reported=20091130,public=20091208,cvss2=3.7/AV:L/AC:H/Au:N/C:P/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-04 15:56:40 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 542870, 542871, 542872, 542873, 542874, 543387, 543388, 543389, 543390, 543391, 543392, 543393, 543394, 543395, 543396, 543397, 543398, 543399, 543400, 543403, 543404, 543405, 543406, 545629, 545630, 545631, 545632, 545633, 563434, 563435, 563436    
Bug Blocks:    

Description Jan Lieskovsky 2009-11-30 05:57:10 EST
Jim Meyering found a race condition in the way Automake used to
prepare content of directories hierarchy (top-level directory
and its subdirectories), when the "distdir" based Automake target
was used. A local attacker could use this flaw to inject malicious
content into the resulting directory and potentially subsequently
execute arbitrary code with the privileges of the user issuing
the "./configure" command.

Upstream patch:
---------------
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/3743
Comment 2 Jan Lieskovsky 2009-11-30 06:48:24 EST
This issue affects the versions of the automake package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the automake package, as shipped
with Fedora release of 10, 11, and 12.
Comment 3 Jan Lieskovsky 2009-11-30 09:21:34 EST
This is CVE-2009-4029.
Comment 12 Vincent Danen 2009-12-08 19:21:41 EST
This is now public and fixed upstream in 1.11.1:

http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html
Comment 18 Fedora Update System 2009-12-10 12:57:22 EST
automake-1.11.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake-1.11.1-1.fc12
Comment 19 Fedora Update System 2010-01-01 22:29:25 EST
automake-1.11.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Jim Meyering 2010-01-28 03:29:11 EST
FYI, more details appeared in this announcement:

http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
Comment 24 Fedora Update System 2010-01-31 20:11:23 EST
automake-1.11.1-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2010-02-09 10:00:04 EST
automake15-1.5-29.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12
Comment 26 Fedora Update System 2010-02-09 10:15:20 EST
automake15-1.5-29.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11
Comment 32 Tomas Hoger 2010-02-10 06:21:29 EST
Jim's post mentioning a safety check added to gnu.org to prevent uploads of new tarballs with unfixed Makefiles:

http://thread.gmane.org/gmane.linux.redhat.fedora.devel/127673
Comment 34 Tomas Hoger 2010-02-16 03:02:33 EST
Affected Makefile targets (thanks to Jim for assembling the list):

dist
distcheck
dist-gzip
dist-bzip2
dist-lzma
dist-xz
dist-tarZ
dist-shar
dist-zip

Some dist-* targets may not be supported by older automake versions.
Comment 36 Tomas Hoger 2010-02-16 03:31:29 EST
Permission 777 on directories inside distribution tarballs was required by GNU Coding Standards for backwards compatibility with old tar versions.  As a follow-up to this issue, GNU Coding standards were updated to recommend 755 now:

http://savannah.gnu.org/forum/forum.php?forum_id=6084
http://cvs.savannah.gnu.org/viewvc/gnustandards/standards.texi?root=gnustandards&view=log#rev1.190

http://www.gnu.org/prep/standards/html_node/Releases.html

  Make sure that all the files in the distribution are world-readable, and
  that directories are world-readable and world-searchable (octal mode 755).
  We used to recommend that all directories in the distribution also be world-
  writable (octal mode 777), because ancient versions of tar would otherwise
  not cope when extracting the archive as an unprivileged user. That can
  easily lead to security issues when creating the archive, however, so now
  we recommend against that.
Comment 37 Fedora Update System 2010-02-16 08:57:30 EST
automake15-1.5-29.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12.1
Comment 38 Fedora Update System 2010-02-16 09:09:37 EST
automake15-1.5-29.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11.1
Comment 39 Fedora Update System 2010-02-16 09:14:53 EST
automake16-1.6.3-18.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc12.1
Comment 40 Fedora Update System 2010-02-16 09:30:21 EST
automake16-1.6.3-18.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc11.1
Comment 41 Fedora Update System 2010-02-16 09:33:50 EST
automake17-1.7.9-13.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc12.1
Comment 42 Fedora Update System 2010-02-16 10:33:26 EST
automake17-1.7.9-13.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc11.1
Comment 44 Fedora Update System 2010-03-03 19:04:11 EST
automake16-1.6.3-18.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 45 Fedora Update System 2010-03-03 19:09:52 EST
automake15-1.5-29.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 46 Fedora Update System 2010-03-03 19:17:55 EST
automake14-1.4p6-20.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 47 Fedora Update System 2010-03-03 19:18:45 EST
automake17-1.7.9-13.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 48 Fedora Update System 2010-03-03 19:19:05 EST
automake15-1.5-29.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 49 Fedora Update System 2010-03-03 19:19:32 EST
automake17-1.7.9-13.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 50 Fedora Update System 2010-03-03 19:21:51 EST
automake16-1.6.3-18.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 51 Fedora Update System 2010-03-03 19:23:19 EST
automake14-1.4p6-20.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 52 errata-xmlrpc 2010-03-30 05:08:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0321 https://rhn.redhat.com/errata/RHSA-2010-0321.html
Comment 57 Josh Bressers 2010-08-04 15:56:40 EDT
This has been fixed.