Bug 542609 (CVE-2009-4029) - CVE-2009-4029 Automake: Race condition by creation of "distdir" based directory hierarchy
Summary: CVE-2009-4029 Automake: Race condition by creation of "distdir" based directo...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-4029
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 542870 542871 542872 542873 542874 543387 543388 543389 543390 543391 543392 543393 543394 543395 543396 543397 543398 543399 543400 543403 543404 543405 543406 545629 545630 545631 545632 545633 563434 563435 563436
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-30 10:57 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:33 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-04 19:56:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0321 normal SHIPPED_LIVE Low: automake security update 2010-03-29 14:44:00 UTC

Description Jan Lieskovsky 2009-11-30 10:57:10 UTC
Jim Meyering found a race condition in the way Automake used to
prepare content of directories hierarchy (top-level directory
and its subdirectories), when the "distdir" based Automake target
was used. A local attacker could use this flaw to inject malicious
content into the resulting directory and potentially subsequently
execute arbitrary code with the privileges of the user issuing
the "./configure" command.

Upstream patch:
---------------
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/3743

Comment 2 Jan Lieskovsky 2009-11-30 11:48:24 UTC
This issue affects the versions of the automake package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the automake package, as shipped
with Fedora release of 10, 11, and 12.

Comment 3 Jan Lieskovsky 2009-11-30 14:21:34 UTC
This is CVE-2009-4029.

Comment 12 Vincent Danen 2009-12-09 00:21:41 UTC
This is now public and fixed upstream in 1.11.1:

http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html

Comment 18 Fedora Update System 2009-12-10 17:57:22 UTC
automake-1.11.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake-1.11.1-1.fc12

Comment 19 Fedora Update System 2010-01-02 03:29:25 UTC
automake-1.11.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Jim Meyering 2010-01-28 08:29:11 UTC
FYI, more details appeared in this announcement:

http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131

Comment 24 Fedora Update System 2010-02-01 01:11:23 UTC
automake-1.11.1-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2010-02-09 15:00:04 UTC
automake15-1.5-29.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12

Comment 26 Fedora Update System 2010-02-09 15:15:20 UTC
automake15-1.5-29.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11

Comment 32 Tomas Hoger 2010-02-10 11:21:29 UTC
Jim's post mentioning a safety check added to gnu.org to prevent uploads of new tarballs with unfixed Makefiles:

http://thread.gmane.org/gmane.linux.redhat.fedora.devel/127673

Comment 34 Tomas Hoger 2010-02-16 08:02:33 UTC
Affected Makefile targets (thanks to Jim for assembling the list):

dist
distcheck
dist-gzip
dist-bzip2
dist-lzma
dist-xz
dist-tarZ
dist-shar
dist-zip

Some dist-* targets may not be supported by older automake versions.

Comment 36 Tomas Hoger 2010-02-16 08:31:29 UTC
Permission 777 on directories inside distribution tarballs was required by GNU Coding Standards for backwards compatibility with old tar versions.  As a follow-up to this issue, GNU Coding standards were updated to recommend 755 now:

http://savannah.gnu.org/forum/forum.php?forum_id=6084
http://cvs.savannah.gnu.org/viewvc/gnustandards/standards.texi?root=gnustandards&view=log#rev1.190

http://www.gnu.org/prep/standards/html_node/Releases.html

  Make sure that all the files in the distribution are world-readable, and
  that directories are world-readable and world-searchable (octal mode 755).
  We used to recommend that all directories in the distribution also be world-
  writable (octal mode 777), because ancient versions of tar would otherwise
  not cope when extracting the archive as an unprivileged user. That can
  easily lead to security issues when creating the archive, however, so now
  we recommend against that.

Comment 37 Fedora Update System 2010-02-16 13:57:30 UTC
automake15-1.5-29.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12.1

Comment 38 Fedora Update System 2010-02-16 14:09:37 UTC
automake15-1.5-29.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11.1

Comment 39 Fedora Update System 2010-02-16 14:14:53 UTC
automake16-1.6.3-18.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc12.1

Comment 40 Fedora Update System 2010-02-16 14:30:21 UTC
automake16-1.6.3-18.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc11.1

Comment 41 Fedora Update System 2010-02-16 14:33:50 UTC
automake17-1.7.9-13.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc12.1

Comment 42 Fedora Update System 2010-02-16 15:33:26 UTC
automake17-1.7.9-13.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc11.1

Comment 44 Fedora Update System 2010-03-04 00:04:11 UTC
automake16-1.6.3-18.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 45 Fedora Update System 2010-03-04 00:09:52 UTC
automake15-1.5-29.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 46 Fedora Update System 2010-03-04 00:17:55 UTC
automake14-1.4p6-20.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 47 Fedora Update System 2010-03-04 00:18:45 UTC
automake17-1.7.9-13.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 48 Fedora Update System 2010-03-04 00:19:05 UTC
automake15-1.5-29.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 49 Fedora Update System 2010-03-04 00:19:32 UTC
automake17-1.7.9-13.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 50 Fedora Update System 2010-03-04 00:21:51 UTC
automake16-1.6.3-18.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 51 Fedora Update System 2010-03-04 00:23:19 UTC
automake14-1.4p6-20.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 52 errata-xmlrpc 2010-03-30 09:08:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0321 https://rhn.redhat.com/errata/RHSA-2010-0321.html

Comment 57 Josh Bressers 2010-08-04 19:56:40 UTC
This has been fixed.


Note You need to log in before you can comment on or make changes to this bug.