Bug 11556 - pmake new security issue CVE-2011-1920
: pmake new security issue CVE-2011-1920
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/571983/
: MGA2TOO has_procedure advisory mga2-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-28 22:40 CET by David Walser
Modified: 2013-11-20 21:59 CET (History)
3 users (show)

See Also:
Source RPM: pmake-1.45-12.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-10-28 22:40:13 CET
Gentoo has issued an advisory today (October 28):
http://www.gentoo.org/security/en/glsa/glsa-201310-17.xml

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-05 21:06:41 CET
Here is the Debian patch for this for pmake 1.111.  I'll backport it to pmake 1.45.

Index: pmake-1.111/mk/bsd.lib.mk
===================================================================
--- pmake-1.111.orig/mk/bsd.lib.mk      2011-05-29 15:38:35.843998781 +0200
+++ pmake-1.111/mk/bsd.lib.mk   2011-05-29 15:39:16.091998780 +0200
@@ -299,7 +299,7 @@

 .if defined(SRCS)
 afterdepend: .depend
-       @(TMP=/tmp/_depend$$$$; \
+       @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
            sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
              < .depend > $$TMP; \
            mv $$TMP .depend)
Index: pmake-1.111/mk/bsd.prog.mk
===================================================================
--- pmake-1.111.orig/mk/bsd.prog.mk     2011-05-29 15:39:21.999998780 +0200
+++ pmake-1.111/mk/bsd.prog.mk  2011-05-29 15:39:30.923998779 +0200
@@ -260,7 +260,7 @@

 .if defined(SRCS)
 afterdepend: .depend
-       @(TMP=/tmp/_depend$$$$; \
+       @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
            sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \
              < .depend > $$TMP; \
            mv $$TMP .depend)
Comment 2 David Walser 2013-11-05 21:17:50 CET
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated pmake package fixes security vulnerability:

The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and
earlier, allow local users to overwrite arbitrary files via a symlink attack
on a /tmp/_depend##### temporary file, related to bsd.lib.mk and bsd.prog.mk
(CVE-2011-1920).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1920
http://www.gentoo.org/security/en/glsa/glsa-201310-17.xml
========================

Updated packages in core/updates_testing:
========================
pmake-1.45-10.1.mga2
pmake-1.45-11.1.mga3

from SRPMS:
pmake-1.45-10.1.mga2.src.rpm
pmake-1.45-11.1.mga3.src.rpm
Comment 3 claire robinson 2013-11-19 12:40:11 CET
pmake is an alternate version of make. The /tmp/_depend#### is predictable because #### is the PID. It should be visible under strace while compiling something. The update should randomise it a bit, with any luck :)

$ strace -o strace.txt pmake <whatever>
$ grep /tmp strace.txt

Advisory uploaded. Please remove 'advisory' whiteboard tag if anything changes.
Comment 4 claire robinson 2013-11-19 16:42:23 CET
Testing complete mga2 32

Googled and found some random source which says it can be compiled with pmake.
ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz

After extracting changed to the directory it created and ran

$ ./configure
$ strace -o strace.txt pmake

grepping for tmp didn't show it using the directory mentioned so just checking the build still completes ok after updating.

$ pmake clean

Then update. Then..

$ pmake
Comment 5 claire robinson 2013-11-19 17:09:29 CET
Testing complete mga2 64
Comment 6 claire robinson 2013-11-19 17:19:29 CET
Testing complete mga3 32 & 64

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 7 Thomas Backlund 2013-11-20 21:59:10 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0331.html

Note You need to log in before you can comment on or make changes to this bug.