Bug 838286 (CVE-2012-3386)
| Summary: | CVE-2012-3386 automake: locally exploitable "make distcheck" bug | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jim Meyering <meyering> | ||||
| Component: | vulnerability | Assignee: | Stefan Cornelius <scorneli> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | ajia, jrusnack, mcermak, mjc, praiskup, rjones, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 848469 848470 (view as bug list) | Environment: | |||||
| Last Closed: | 2015-02-19 21:10:03 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 838660, 838661, 848469, 848470 | ||||||
| Bug Blocks: | 838459, 855229, 1063682 | ||||||
| Attachments: |
|
||||||
|
Description
Jim Meyering
2012-07-08 09:29:01 UTC
Created attachment 596864 [details]
planned fix
FYI, Stefano wrote: "git blame" tells me that the offending "chmod a+w" command has been there (ignoring trivial changes and code movements) since almost "forever" (at least since commit 6a60072d, where configure.in defines an Automake version of 1.4a). Stefano plans to release fixed automake in the next day or so. Thank you very much for reporting this. Do you need a new CVE for this, or is there already a CVE request/assignment in progress? Yes, please. If you can give us a CVE number, that'd be welcome. (In reply to comment #5) > Yes, please. If you can give us a CVE number, that'd be welcome. Please use CVE-2012-3386 for this issue. Thanks! The patch/bug are now public: http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572 In addition, GNU Automake 1.12.2 (with this fix) has been released. Created automake17 tracking bugs for this issue Affects: fedora-all [bug 838661] Created automake tracking bugs for this issue Affects: fedora-all [bug 838660] Fixed upstream in GIT and versions 1.11.6 and 1.12.2. References: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76 https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html Acknowledgements: Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0526 https://rhn.redhat.com/errata/RHSA-2013-0526.html IssueDescription: It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck". This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1243 https://rhn.redhat.com/errata/RHSA-2014-1243.html |