| Summary: | pmake new security issue CVE-2011-1920 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | steletch, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/571983/ | ||
| Whiteboard: | MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | pmake-1.45-12.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-10-28 22:40:13 CET
Here is the Debian patch for this for pmake 1.111. I'll backport it to pmake 1.45.
Index: pmake-1.111/mk/bsd.lib.mk
===================================================================
--- pmake-1.111.orig/mk/bsd.lib.mk 2011-05-29 15:38:35.843998781 +0200
+++ pmake-1.111/mk/bsd.lib.mk 2011-05-29 15:39:16.091998780 +0200
@@ -299,7 +299,7 @@
.if defined(SRCS)
afterdepend: .depend
- @(TMP=/tmp/_depend$$$$; \
+ @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
< .depend > $$TMP; \
mv $$TMP .depend)
Index: pmake-1.111/mk/bsd.prog.mk
===================================================================
--- pmake-1.111.orig/mk/bsd.prog.mk 2011-05-29 15:39:21.999998780 +0200
+++ pmake-1.111/mk/bsd.prog.mk 2011-05-29 15:39:30.923998779 +0200
@@ -260,7 +260,7 @@
.if defined(SRCS)
afterdepend: .depend
- @(TMP=/tmp/_depend$$$$; \
+ @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \
< .depend > $$TMP; \
mv $$TMP .depend)
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated pmake package fixes security vulnerability: The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and earlier, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to bsd.lib.mk and bsd.prog.mk (CVE-2011-1920). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1920 http://www.gentoo.org/security/en/glsa/glsa-201310-17.xml ======================== Updated packages in core/updates_testing: ======================== pmake-1.45-10.1.mga2 pmake-1.45-11.1.mga3 from SRPMS: pmake-1.45-10.1.mga2.src.rpm pmake-1.45-11.1.mga3.src.rpm CC:
(none) =>
steletch pmake is an alternate version of make. The /tmp/_depend#### is predictable because #### is the PID. It should be visible under strace while compiling something. The update should randomise it a bit, with any luck :) $ strace -o strace.txt pmake <whatever> $ grep /tmp strace.txt Advisory uploaded. Please remove 'advisory' whiteboard tag if anything changes. Whiteboard:
MGA2TOO =>
MGA2TOO has_procedure advisory Testing complete mga2 32 Googled and found some random source which says it can be compiled with pmake. ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz After extracting changed to the directory it created and ran $ ./configure $ strace -o strace.txt pmake grepping for tmp didn't show it using the directory mentioned so just checking the build still completes ok after updating. $ pmake clean Then update. Then.. $ pmake Whiteboard:
MGA2TOO has_procedure advisory =>
MGA2TOO has_procedure advisory mga2-32-ok Testing complete mga2 64 Whiteboard:
MGA2TOO has_procedure advisory mga2-32-ok =>
MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok Testing complete mga3 32 & 64 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0331.html Status:
NEW =>
RESOLVED |