Bug 838660
| Summary: | CVE-2012-3386 automake: locally exploitable "make distcheck" bug [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vincent Danen <vdanen> |
| Component: | automake | Assignee: | Pavel Raiskup <praiskup> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 16 | CC: | eblake, karsten, meyering, ovasik, pbrady |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-09-19 03:09:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 838286 | ||
|
Description
Vincent Danen
2012-07-09 17:50:28 UTC
Although the bug may have been rated as a low security impact, it has a higher development impact. Any package (such as libvirt) that uses gnulib will fail a syntax-check designed to detect the existence of this bug. Rather than forcing developers across multiple gnulib clients to hand-install a newer automake to get past the gnulib syntax check, it would be nicer to get the new automake (or at least a backport of the security fix applied on top of the existing automake) out the door to Fedora sooner rather than later, as the security bug is not only present in automake, but in all other packages that used broken automake to generate their makefiles. I've just increased both severity and priority to "HIGH". Until this bug is fixed, the distribution automake should not be used by developers: while developers may know to run "make distcheck" only from a protected directory or with a restricted umask, few others will know that. As long as we developers are using the affected automake, we put any user of our generated tarballs at risk. This is now a month old with no progress - any word on when a fixed automake will hit Fedora? Can we get this update in Fedora 16 / 17 asap. We are unable to use Fedora as a platform for libvirt development releases without this, since GNULIB raises errors if you attempt to make dist with a vulnerable automake automake-1.12.2-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/automake-1.12.2-2.fc16 automake-1.12.2-2.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/automake-1.12.2-2.fc17 Could we have automake-1.11.6 in F16 and F17. Thanks. Coming up on 2 months old, and STILL not fixed in Fedora 17. This is starting to get seriously annoying. What's so hard about applying a one-line fix to automake 1.11.3 (basically, s/a+w/u+w/ in the installed /usr/share/automake-1.11/am/distdir.am file), or else updating to automake 1.11.6? Pretty Please? I'm tired of F17 being vulnerable. Can a provenpackager make this change, since the current package owner seems to be unresponsive? automake-1.11.6-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/automake-1.11.6-1.fc17 automake-1.11.6-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/automake-1.11.6-1.fc16 So I noticed 1.11.6 was in git but with a patch to tests that was breaking the build. So I removed that, built and updated F1[67]. (I just got provenpackager status this week). Hope this is OK Karsten Awesome. Thanks, Pádraig! Package automake-1.11.6-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing automake-1.11.6-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14297/automake-1.11.6-1.fc16 then log in and leave karma (feedback). automake-1.11.6-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. automake-1.11.6-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Just as a side note - rebasing auto* tools (and developer toolset things) in released Fedoras is not very nice, sometimes it breaks builds for the others (this version was not bugfix only and it did break coreutils build for me because of the PKGLIBDIR deprecation). |