Bug 838286 - (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug
CVE-2012-3386 automake: locally exploitable "make distcheck" bug
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Stefan Cornelius
impact=low,public=20120709,reported=2...
: Security
Depends On: 838660 838661 848469 848470
Blocks: 838459 855229 1063682
  Show dependency treegraph
 
Reported: 2012-07-08 05:29 EDT by Jim Meyering
Modified: 2015-02-20 05:57 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
Story Points: ---
Clone Of:
: 848469 848470 (view as bug list)
Environment:
Last Closed: 2015-02-19 16:10:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
planned fix (4.24 KB, patch)
2012-07-08 05:34 EDT, Jim Meyering
no flags Details | Diff

  None (edit)
Description Jim Meyering 2012-07-08 05:29:01 EDT
Description of problem:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.

This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

Version-Release number of selected component (if applicable):
  everything prior to v1.12.1-214-g15b8b62

How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.
Comment 1 Jim Meyering 2012-07-08 05:34:27 EDT
Created attachment 596864 [details]
planned fix
Comment 2 Jim Meyering 2012-07-08 05:47:17 EDT
FYI, Stefano wrote:

  "git blame" tells me that the offending "chmod a+w" command has been there
  (ignoring trivial changes and code movements) since almost "forever" (at
  least since commit 6a60072d, where configure.in defines an Automake
  version of 1.4a).
Comment 3 Jim Meyering 2012-07-08 05:48:11 EDT
Stefano plans to release fixed automake in the next day or so.
Comment 4 Stefan Cornelius 2012-07-09 03:59:11 EDT
Thank you very much for reporting this.

Do you need a new CVE for this, or is there already a CVE request/assignment in progress?
Comment 5 Jim Meyering 2012-07-09 04:05:25 EDT
Yes, please.  If you can give us a CVE number, that'd be welcome.
Comment 6 Stefan Cornelius 2012-07-09 04:25:35 EDT
(In reply to comment #5)
> Yes, please.  If you can give us a CVE number, that'd be welcome.

Please use CVE-2012-3386 for this issue. Thanks!
Comment 7 Jim Meyering 2012-07-09 12:38:50 EDT
The patch/bug are now public:

  http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572

In addition, GNU Automake 1.12.2 (with this fix) has been released.
Comment 8 Vincent Danen 2012-07-09 13:50:43 EDT
Created automake17 tracking bugs for this issue

Affects: fedora-all [bug 838661]
Comment 9 Vincent Danen 2012-07-09 13:50:45 EDT
Created automake tracking bugs for this issue

Affects: fedora-all [bug 838660]
Comment 12 Murray McAllister 2013-02-19 22:49:51 EST
Acknowledgements:

Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter.
Comment 13 errata-xmlrpc 2013-02-21 06:04:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0526 https://rhn.redhat.com/errata/RHSA-2013-0526.html
Comment 14 Huzaifa S. Sidhpurwala 2013-02-21 23:44:09 EST
Statement:

This issue affects the version of automake15, automake16 and automake17 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of automake15 and automake16 as shipped with Red Hat Enterprise Linux 6.  A future update may address this flaw in various affected versions of automake.
Comment 16 Martin Prpic 2014-08-26 04:02:40 EDT
IssueDescription:

It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
Comment 17 errata-xmlrpc 2014-09-16 01:29:42 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1243 https://rhn.redhat.com/errata/RHSA-2014-1243.html

Note You need to log in before you can comment on or make changes to this bug.