Bug 838660 - CVE-2012-3386 automake: locally exploitable "make distcheck" bug [fedora-all]
Summary: CVE-2012-3386 automake: locally exploitable "make distcheck" bug [fedora-all]
Alias: None
Product: Fedora
Classification: Fedora
Component: automake
Version: 16
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Pavel Raiskup
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: CVE-2012-3386
TreeView+ depends on / blocked
Reported: 2012-07-09 17:50 UTC by Vincent Danen
Modified: 2012-12-14 14:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Last Closed: 2012-09-19 03:09:36 UTC
Type: ---

Attachments (Terms of Use)

Description Vincent Danen 2012-07-09 17:50:28 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Comment 1 Eric Blake 2012-07-16 22:10:21 UTC
Although the bug may have been rated as a low security impact, it has a higher development impact.  Any package (such as libvirt) that uses gnulib will fail a syntax-check designed to detect the existence of this bug.  Rather than forcing developers across multiple gnulib clients to hand-install a newer automake to get past the gnulib syntax check, it would be nicer to get the new automake (or at least a backport of the security fix applied on top of the existing automake) out the door to Fedora sooner rather than later, as the security bug is not only present in automake, but in all other packages that used broken automake to generate their makefiles.

Comment 2 Jim Meyering 2012-07-18 05:11:46 UTC
I've just increased both severity and priority to "HIGH".
Until this bug is fixed, the distribution automake should not be used by developers:
while developers may know to run "make distcheck" only from a protected
directory or with a restricted umask, few others will know that.

As long as we developers are using the affected automake, we put any user
of our generated tarballs at risk.

Comment 3 Eric Blake 2012-08-10 14:32:07 UTC
This is now a month old with no progress - any word on when a fixed automake will hit Fedora?

Comment 4 Daniel Berrangé 2012-08-10 14:33:39 UTC
Can we get this update in Fedora 16 / 17 asap. We are unable to use Fedora as a platform for libvirt development releases without this, since GNULIB raises errors if you attempt to make dist with a vulnerable automake

Comment 5 Fedora Update System 2012-08-14 13:29:43 UTC
automake-1.12.2-2.fc16 has been submitted as an update for Fedora 16.

Comment 6 Fedora Update System 2012-08-14 13:30:00 UTC
automake-1.12.2-2.fc17 has been submitted as an update for Fedora 17.

Comment 7 Pádraig Brady 2012-09-02 22:09:32 UTC
Could we have automake-1.11.6 in F16 and F17.

Comment 8 Eric Blake 2012-09-05 23:27:47 UTC
Coming up on 2 months old, and STILL not fixed in Fedora 17.  This is starting to get seriously annoying.

Comment 9 Eric Blake 2012-09-17 19:43:51 UTC
What's so hard about applying a one-line fix to automake 1.11.3 (basically, s/a+w/u+w/ in the installed /usr/share/automake-1.11/am/distdir.am file), or else updating to automake 1.11.6?  Pretty Please?  I'm tired of F17 being vulnerable.

Can a provenpackager make this change, since the current package owner seems to be unresponsive?

Comment 10 Fedora Update System 2012-09-18 03:58:06 UTC
automake-1.11.6-1.fc17 has been submitted as an update for Fedora 17.

Comment 11 Fedora Update System 2012-09-18 03:59:28 UTC
automake-1.11.6-1.fc16 has been submitted as an update for Fedora 16.

Comment 12 Pádraig Brady 2012-09-18 04:01:33 UTC
So I noticed 1.11.6 was in git but with a patch to tests that was breaking the build. So I removed that, built and updated F1[67].
(I just got provenpackager status this week).

Hope this is OK Karsten

Comment 13 Jim Meyering 2012-09-18 06:44:14 UTC
Awesome.  Thanks, Pádraig!

Comment 15 Fedora Update System 2012-09-19 02:52:57 UTC
Package automake-1.11.6-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing automake-1.11.6-1.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2012-09-19 03:09:36 UTC
automake-1.11.6-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2012-09-22 00:08:42 UTC
automake-1.11.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Ondrej Vasik 2012-12-14 09:54:41 UTC
Just as a side note - rebasing auto* tools (and developer toolset things) in released Fedoras is not very nice, sometimes it breaks builds for the others (this version was not bugfix only and it did break coreutils build for me because of the PKGLIBDIR deprecation).

Note You need to log in before you can comment on or make changes to this bug.