Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-3386 automake: locally exploitable "make distcheck" bug|
|Product:||[Other] Security Response||Reporter:||Jim Meyering <meyering>|
|Component:||vulnerability||Assignee:||Stefan Cornelius <scorneli>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||ajia, jrusnack, mcermak, mjc, praiskup, rjones, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
|:||848469 848470 (view as bug list)||Environment:|
|Last Closed:||2015-02-19 16:10:03 EST||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||838660, 838661, 848469, 848470|
|Bug Blocks:||838459, 855229, 1063682|
Description Jim Meyering 2012-07-08 05:29:01 EDT
Description of problem: Stefano Lattarini discovered a vulnerability in automake that is much like the one that prompted CVE-2009-4029: automake's distcheck rule makes distdir briefly world-writable. Stefano also wrote the patch below. This bug is slightly more limited because it affects only the "make distcheck" rule, while CVE-2009-4029 affected all dist* rules. The point is that with these temporarily-relaxed directory permissions, an attacker can cause the person running "make distcheck" in an attacker- accessible (o+rx, or possibly only o+x) directory to run arbitrary code. Version-Release number of selected component (if applicable): everything prior to v1.12.1-214-g15b8b62 How reproducible: The directory is world-writable only briefly, but the flaw is exploitable.
Comment 2 Jim Meyering 2012-07-08 05:47:17 EDT
FYI, Stefano wrote: "git blame" tells me that the offending "chmod a+w" command has been there (ignoring trivial changes and code movements) since almost "forever" (at least since commit 6a60072d, where configure.in defines an Automake version of 1.4a).
Comment 3 Jim Meyering 2012-07-08 05:48:11 EDT
Stefano plans to release fixed automake in the next day or so.
Comment 4 Stefan Cornelius 2012-07-09 03:59:11 EDT
Thank you very much for reporting this. Do you need a new CVE for this, or is there already a CVE request/assignment in progress?
Comment 5 Jim Meyering 2012-07-09 04:05:25 EDT
Yes, please. If you can give us a CVE number, that'd be welcome.
Comment 6 Stefan Cornelius 2012-07-09 04:25:35 EDT
(In reply to comment #5) > Yes, please. If you can give us a CVE number, that'd be welcome. Please use CVE-2012-3386 for this issue. Thanks!
Comment 7 Jim Meyering 2012-07-09 12:38:50 EDT
The patch/bug are now public: http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572 In addition, GNU Automake 1.12.2 (with this fix) has been released.
Comment 8 Vincent Danen 2012-07-09 13:50:43 EDT
Created automake17 tracking bugs for this issue Affects: fedora-all [bug 838661]
Comment 9 Vincent Danen 2012-07-09 13:50:45 EDT
Created automake tracking bugs for this issue Affects: fedora-all [bug 838660]
Comment 10 Stefan Cornelius 2012-07-10 01:48:48 EDT
Fixed upstream in GIT and versions 1.11.6 and 1.12.2. References: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76 https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
Comment 12 Murray McAllister 2013-02-19 22:49:51 EST
Acknowledgements: Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter.
Comment 13 errata-xmlrpc 2013-02-21 06:04:32 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0526 https://rhn.redhat.com/errata/RHSA-2013-0526.html
Comment 14 Huzaifa S. Sidhpurwala 2013-02-21 23:44:09 EST
Statement: This issue affects the version of automake15, automake16 and automake17 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of automake15 and automake16 as shipped with Red Hat Enterprise Linux 6. A future update may address this flaw in various affected versions of automake.
Comment 16 Martin Prpic 2014-08-26 04:02:40 EDT
IssueDescription: It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".