Bug 542609 - (CVE-2009-4029) CVE-2009-4029 Automake: Race condition by creation of "distdir" based directory hierarchy
CVE-2009-4029 Automake: Race condition by creation of "distdir" based directo...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=redhat,reported=200...
: Security
Depends On: 542870 542871 542872 542873 542874 543387 543388 543389 543390 543391 543392 543393 543394 543395 543396 543397 543398 543399 543400 543403 543404 543405 543406 545629 545630 545631 545632 545633 563434 563435 563436
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-30 05:57 EST by Jan Lieskovsky
Modified: 2010-10-23 09:29 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-04 15:56:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-11-30 05:57:10 EST
Jim Meyering found a race condition in the way Automake used to
prepare content of directories hierarchy (top-level directory
and its subdirectories), when the "distdir" based Automake target
was used. A local attacker could use this flaw to inject malicious
content into the resulting directory and potentially subsequently
execute arbitrary code with the privileges of the user issuing
the "./configure" command.

Upstream patch:
---------------
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/3743
Comment 2 Jan Lieskovsky 2009-11-30 06:48:24 EST
This issue affects the versions of the automake package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the automake package, as shipped
with Fedora release of 10, 11, and 12.
Comment 3 Jan Lieskovsky 2009-11-30 09:21:34 EST
This is CVE-2009-4029.
Comment 12 Vincent Danen 2009-12-08 19:21:41 EST
This is now public and fixed upstream in 1.11.1:

http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html
Comment 18 Fedora Update System 2009-12-10 12:57:22 EST
automake-1.11.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake-1.11.1-1.fc12
Comment 19 Fedora Update System 2010-01-01 22:29:25 EST
automake-1.11.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Jim Meyering 2010-01-28 03:29:11 EST
FYI, more details appeared in this announcement:

http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
Comment 24 Fedora Update System 2010-01-31 20:11:23 EST
automake-1.11.1-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2010-02-09 10:00:04 EST
automake15-1.5-29.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12
Comment 26 Fedora Update System 2010-02-09 10:15:20 EST
automake15-1.5-29.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11
Comment 32 Tomas Hoger 2010-02-10 06:21:29 EST
Jim's post mentioning a safety check added to gnu.org to prevent uploads of new tarballs with unfixed Makefiles:

http://thread.gmane.org/gmane.linux.redhat.fedora.devel/127673
Comment 34 Tomas Hoger 2010-02-16 03:02:33 EST
Affected Makefile targets (thanks to Jim for assembling the list):

dist
distcheck
dist-gzip
dist-bzip2
dist-lzma
dist-xz
dist-tarZ
dist-shar
dist-zip

Some dist-* targets may not be supported by older automake versions.
Comment 36 Tomas Hoger 2010-02-16 03:31:29 EST
Permission 777 on directories inside distribution tarballs was required by GNU Coding Standards for backwards compatibility with old tar versions.  As a follow-up to this issue, GNU Coding standards were updated to recommend 755 now:

http://savannah.gnu.org/forum/forum.php?forum_id=6084
http://cvs.savannah.gnu.org/viewvc/gnustandards/standards.texi?root=gnustandards&view=log#rev1.190

http://www.gnu.org/prep/standards/html_node/Releases.html

  Make sure that all the files in the distribution are world-readable, and
  that directories are world-readable and world-searchable (octal mode 755).
  We used to recommend that all directories in the distribution also be world-
  writable (octal mode 777), because ancient versions of tar would otherwise
  not cope when extracting the archive as an unprivileged user. That can
  easily lead to security issues when creating the archive, however, so now
  we recommend against that.
Comment 37 Fedora Update System 2010-02-16 08:57:30 EST
automake15-1.5-29.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12.1
Comment 38 Fedora Update System 2010-02-16 09:09:37 EST
automake15-1.5-29.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11.1
Comment 39 Fedora Update System 2010-02-16 09:14:53 EST
automake16-1.6.3-18.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc12.1
Comment 40 Fedora Update System 2010-02-16 09:30:21 EST
automake16-1.6.3-18.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc11.1
Comment 41 Fedora Update System 2010-02-16 09:33:50 EST
automake17-1.7.9-13.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc12.1
Comment 42 Fedora Update System 2010-02-16 10:33:26 EST
automake17-1.7.9-13.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc11.1
Comment 44 Fedora Update System 2010-03-03 19:04:11 EST
automake16-1.6.3-18.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 45 Fedora Update System 2010-03-03 19:09:52 EST
automake15-1.5-29.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 46 Fedora Update System 2010-03-03 19:17:55 EST
automake14-1.4p6-20.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 47 Fedora Update System 2010-03-03 19:18:45 EST
automake17-1.7.9-13.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 48 Fedora Update System 2010-03-03 19:19:05 EST
automake15-1.5-29.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 49 Fedora Update System 2010-03-03 19:19:32 EST
automake17-1.7.9-13.fc12.1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 50 Fedora Update System 2010-03-03 19:21:51 EST
automake16-1.6.3-18.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 51 Fedora Update System 2010-03-03 19:23:19 EST
automake14-1.4p6-20.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 52 errata-xmlrpc 2010-03-30 05:08:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0321 https://rhn.redhat.com/errata/RHSA-2010-0321.html
Comment 57 Josh Bressers 2010-08-04 15:56:40 EDT
This has been fixed.

Note You need to log in before you can comment on or make changes to this bug.