Red Hat Bugzilla – Bug 838660
CVE-2012-3386 automake: locally exploitable "make distcheck" bug [fedora-all]
Last modified: 2012-12-14 09:37:08 EST
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
Although the bug may have been rated as a low security impact, it has a higher development impact. Any package (such as libvirt) that uses gnulib will fail a syntax-check designed to detect the existence of this bug. Rather than forcing developers across multiple gnulib clients to hand-install a newer automake to get past the gnulib syntax check, it would be nicer to get the new automake (or at least a backport of the security fix applied on top of the existing automake) out the door to Fedora sooner rather than later, as the security bug is not only present in automake, but in all other packages that used broken automake to generate their makefiles.
I've just increased both severity and priority to "HIGH".
Until this bug is fixed, the distribution automake should not be used by developers:
while developers may know to run "make distcheck" only from a protected
directory or with a restricted umask, few others will know that.
As long as we developers are using the affected automake, we put any user
of our generated tarballs at risk.
This is now a month old with no progress - any word on when a fixed automake will hit Fedora?
Can we get this update in Fedora 16 / 17 asap. We are unable to use Fedora as a platform for libvirt development releases without this, since GNULIB raises errors if you attempt to make dist with a vulnerable automake
automake-1.12.2-2.fc16 has been submitted as an update for Fedora 16.
automake-1.12.2-2.fc17 has been submitted as an update for Fedora 17.
Could we have automake-1.11.6 in F16 and F17.
Coming up on 2 months old, and STILL not fixed in Fedora 17. This is starting to get seriously annoying.
What's so hard about applying a one-line fix to automake 1.11.3 (basically, s/a+w/u+w/ in the installed /usr/share/automake-1.11/am/distdir.am file), or else updating to automake 1.11.6? Pretty Please? I'm tired of F17 being vulnerable.
Can a provenpackager make this change, since the current package owner seems to be unresponsive?
automake-1.11.6-1.fc17 has been submitted as an update for Fedora 17.
automake-1.11.6-1.fc16 has been submitted as an update for Fedora 16.
So I noticed 1.11.6 was in git but with a patch to tests that was breaking the build. So I removed that, built and updated F1.
(I just got provenpackager status this week).
Hope this is OK Karsten
Awesome. Thanks, Pádraig!
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing automake-1.11.6-1.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
automake-1.11.6-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
automake-1.11.6-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Just as a side note - rebasing auto* tools (and developer toolset things) in released Fedoras is not very nice, sometimes it breaks builds for the others (this version was not bugfix only and it did break coreutils build for me because of the PKGLIBDIR deprecation).