Jim Meyering found a race condition in the way Automake used to prepare content of directories hierarchy (top-level directory and its subdirectories), when the "distdir" based Automake target was used. A local attacker could use this flaw to inject malicious content into the resulting directory and potentially subsequently execute arbitrary code with the privileges of the user issuing the "./configure" command. Upstream patch: --------------- http://thread.gmane.org/gmane.comp.sysutils.automake.patches/3743
This issue affects the versions of the automake package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the automake package, as shipped with Fedora release of 10, 11, and 12.
This is CVE-2009-4029.
This is now public and fixed upstream in 1.11.1: http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html
automake-1.11.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake-1.11.1-1.fc12
automake-1.11.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
FYI, more details appeared in this announcement: http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
automake-1.11.1-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
automake15-1.5-29.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12
automake15-1.5-29.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11
Jim's post mentioning a safety check added to gnu.org to prevent uploads of new tarballs with unfixed Makefiles: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/127673
Affected Makefile targets (thanks to Jim for assembling the list): dist distcheck dist-gzip dist-bzip2 dist-lzma dist-xz dist-tarZ dist-shar dist-zip Some dist-* targets may not be supported by older automake versions.
Upstream commits: 1.11: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1.11&id=efb6899421e6a581445c3ed9ee7ff768975489ef 1.7: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-7&id=39a251ea236c055aa93781bf90ebc526c2345217 1.6: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-6&id=e30bf87d9b0503a5e1a7d400597a63502b9a74e5 1.5: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-5&id=b1c42762931e9cd03aee3e4b4284dc2920c9eabc 1.4: http://git.savannah.gnu.org/cgit/automake.git/commit/?h=branch-1-4&id=449d20aa12e13fefd848604225fc83d0c39c61d0
Permission 777 on directories inside distribution tarballs was required by GNU Coding Standards for backwards compatibility with old tar versions. As a follow-up to this issue, GNU Coding standards were updated to recommend 755 now: http://savannah.gnu.org/forum/forum.php?forum_id=6084 http://cvs.savannah.gnu.org/viewvc/gnustandards/standards.texi?root=gnustandards&view=log#rev1.190 http://www.gnu.org/prep/standards/html_node/Releases.html Make sure that all the files in the distribution are world-readable, and that directories are world-readable and world-searchable (octal mode 755). We used to recommend that all directories in the distribution also be world- writable (octal mode 777), because ancient versions of tar would otherwise not cope when extracting the archive as an unprivileged user. That can easily lead to security issues when creating the archive, however, so now we recommend against that.
automake15-1.5-29.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc12.1
automake15-1.5-29.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake15-1.5-29.fc11.1
automake16-1.6.3-18.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc12.1
automake16-1.6.3-18.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake16-1.6.3-18.fc11.1
automake17-1.7.9-13.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc12.1
automake17-1.7.9-13.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/automake17-1.7.9-13.fc11.1
automake16-1.6.3-18.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
automake15-1.5-29.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
automake14-1.4p6-20.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
automake17-1.7.9-13.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
automake15-1.5-29.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
automake17-1.7.9-13.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
automake16-1.6.3-18.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
automake14-1.4p6-20.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0321 https://rhn.redhat.com/errata/RHSA-2010-0321.html
This has been fixed.