Gentoo has issued an advisory today (October 28): http://www.gentoo.org/security/en/glsa/glsa-201310-17.xml Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Here is the Debian patch for this for pmake 1.111. I'll backport it to pmake 1.45. Index: pmake-1.111/mk/bsd.lib.mk =================================================================== --- pmake-1.111.orig/mk/bsd.lib.mk 2011-05-29 15:38:35.843998781 +0200 +++ pmake-1.111/mk/bsd.lib.mk 2011-05-29 15:39:16.091998780 +0200 @@ -299,7 +299,7 @@ .if defined(SRCS) afterdepend: .depend - @(TMP=/tmp/_depend$$$$; \ + @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \ sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \ < .depend > $$TMP; \ mv $$TMP .depend) Index: pmake-1.111/mk/bsd.prog.mk =================================================================== --- pmake-1.111.orig/mk/bsd.prog.mk 2011-05-29 15:39:21.999998780 +0200 +++ pmake-1.111/mk/bsd.prog.mk 2011-05-29 15:39:30.923998779 +0200 @@ -260,7 +260,7 @@ .if defined(SRCS) afterdepend: .depend - @(TMP=/tmp/_depend$$$$; \ + @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \ sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \ < .depend > $$TMP; \ mv $$TMP .depend)
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated pmake package fixes security vulnerability: The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and earlier, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to bsd.lib.mk and bsd.prog.mk (CVE-2011-1920). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1920 http://www.gentoo.org/security/en/glsa/glsa-201310-17.xml ======================== Updated packages in core/updates_testing: ======================== pmake-1.45-10.1.mga2 pmake-1.45-11.1.mga3 from SRPMS: pmake-1.45-10.1.mga2.src.rpm pmake-1.45-11.1.mga3.src.rpm
CC: (none) => steletchVersion: Cauldron => 3Assignee: steletch => qa-bugsWhiteboard: (none) => MGA2TOO
pmake is an alternate version of make. The /tmp/_depend#### is predictable because #### is the PID. It should be visible under strace while compiling something. The update should randomise it a bit, with any luck :) $ strace -o strace.txt pmake <whatever> $ grep /tmp strace.txt Advisory uploaded. Please remove 'advisory' whiteboard tag if anything changes.
Whiteboard: MGA2TOO => MGA2TOO has_procedure advisory
Testing complete mga2 32 Googled and found some random source which says it can be compiled with pmake. ftp://ftp.freetds.org/pub/freetds/stable/freetds-stable.tgz After extracting changed to the directory it created and ran $ ./configure $ strace -o strace.txt pmake grepping for tmp didn't show it using the directory mentioned so just checking the build still completes ok after updating. $ pmake clean Then update. Then.. $ pmake
Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga2-32-ok
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure advisory mga2-32-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok
Testing complete mga3 32 & 64 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0331.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED