Bug 838660

Summary: CVE-2012-3386 automake: locally exploitable "make distcheck" bug [fedora-all]
Product: [Fedora] Fedora Reporter: Vincent Danen <vdanen>
Component: automakeAssignee: Pavel Raiskup <praiskup>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 16CC: eblake, karsten, meyering, ovasik, pbrady
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-18 23:09:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 838286    

Description Vincent Danen 2012-07-09 13:50:28 EDT
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]
Comment 1 Eric Blake 2012-07-16 18:10:21 EDT
Although the bug may have been rated as a low security impact, it has a higher development impact.  Any package (such as libvirt) that uses gnulib will fail a syntax-check designed to detect the existence of this bug.  Rather than forcing developers across multiple gnulib clients to hand-install a newer automake to get past the gnulib syntax check, it would be nicer to get the new automake (or at least a backport of the security fix applied on top of the existing automake) out the door to Fedora sooner rather than later, as the security bug is not only present in automake, but in all other packages that used broken automake to generate their makefiles.
Comment 2 Jim Meyering 2012-07-18 01:11:46 EDT
I've just increased both severity and priority to "HIGH".
Until this bug is fixed, the distribution automake should not be used by developers:
while developers may know to run "make distcheck" only from a protected
directory or with a restricted umask, few others will know that.

As long as we developers are using the affected automake, we put any user
of our generated tarballs at risk.
Comment 3 Eric Blake 2012-08-10 10:32:07 EDT
This is now a month old with no progress - any word on when a fixed automake will hit Fedora?
Comment 4 Daniel Berrange 2012-08-10 10:33:39 EDT
Can we get this update in Fedora 16 / 17 asap. We are unable to use Fedora as a platform for libvirt development releases without this, since GNULIB raises errors if you attempt to make dist with a vulnerable automake
Comment 5 Fedora Update System 2012-08-14 09:29:43 EDT
automake-1.12.2-2.fc16 has been submitted as an update for Fedora 16.
Comment 6 Fedora Update System 2012-08-14 09:30:00 EDT
automake-1.12.2-2.fc17 has been submitted as an update for Fedora 17.
Comment 7 Pádraig Brady 2012-09-02 18:09:32 EDT
Could we have automake-1.11.6 in F16 and F17.
Comment 8 Eric Blake 2012-09-05 19:27:47 EDT
Coming up on 2 months old, and STILL not fixed in Fedora 17.  This is starting to get seriously annoying.
Comment 9 Eric Blake 2012-09-17 15:43:51 EDT
What's so hard about applying a one-line fix to automake 1.11.3 (basically, s/a+w/u+w/ in the installed /usr/share/automake-1.11/am/distdir.am file), or else updating to automake 1.11.6?  Pretty Please?  I'm tired of F17 being vulnerable.

Can a provenpackager make this change, since the current package owner seems to be unresponsive?
Comment 10 Fedora Update System 2012-09-17 23:58:06 EDT
automake-1.11.6-1.fc17 has been submitted as an update for Fedora 17.
Comment 11 Fedora Update System 2012-09-17 23:59:28 EDT
automake-1.11.6-1.fc16 has been submitted as an update for Fedora 16.
Comment 12 Pádraig Brady 2012-09-18 00:01:33 EDT
So I noticed 1.11.6 was in git but with a patch to tests that was breaking the build. So I removed that, built and updated F1[67].
(I just got provenpackager status this week).

Hope this is OK Karsten
Comment 13 Jim Meyering 2012-09-18 02:44:14 EDT
Awesome.  Thanks, Pádraig!
Comment 15 Fedora Update System 2012-09-18 22:52:57 EDT
Package automake-1.11.6-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing automake-1.11.6-1.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2012-09-18 23:09:36 EDT
automake-1.11.6-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2012-09-21 20:08:42 EDT
automake-1.11.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Ondrej Vasik 2012-12-14 04:54:41 EST
Just as a side note - rebasing auto* tools (and developer toolset things) in released Fedoras is not very nice, sometimes it breaks builds for the others (this version was not bugfix only and it did break coreutils build for me because of the PKGLIBDIR deprecation).