From https://bugzilla.redhat.com/show_bug.cgi?id=838286 Description of problem: Stefano Lattarini discovered a vulnerability in automake that is much like the one that prompted CVE-2009-4029: automake's distcheck rule makes distdir briefly world-writable. Stefano also wrote the patch below. This bug is slightly more limited because it affects only the "make distcheck" rule, while CVE-2009-4029 affected all dist* rules. The point is that with these temporarily-relaxed directory permissions, an attacker can cause the person running "make distcheck" in an attacker- accessible (o+rx, or possibly only o+x) directory to run arbitrary code. How reproducible: The directory is world-writable only briefly, but the flaw is exploitable.
"everything prior to v1.12.1-214-g15b8b62" so mga1 and 2 and "The Red Hat Security Response Team has rated this issue as having low security" so we can drop the critical
Should I provide an automake-1.12.2 update for Mageia Linux 1 and 2?
(In reply to comment #2) > Should I provide an automake-1.12.2 update for Mageia Linux 1 and 2? No, we should just patch for this. There is a patch attached to the RedHat bug, as well as links to GIT commits in the 1.11 and 1.12 branches to fix this. I think upgrading automake versions can cause buildability issues in existing packages, so I wouldn't advise it.
OK, I've pushed automake-1.11.3-1.1.mga2 to Mageia 2 core/updates_testing with the patch. Please test.
Thanks. Could you build an update for Mageia 1 as well?
OK I uploaded automake-1.11.1-3.1.mga1 to Mageia 1 core/updates_testing.
Advisory: ======================== Updated automake package fixes security vulnerability: Before 1.12.2, the recipe of the 'distcheck' target granted temporary world-write permissions on the extracted distdir. This introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that was accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck" (CVE-2012-3386). It is important to stress that this vulnerability impacts not only the Automake package itself, but all packages with Automake-generated makefiles. For an effective fix it is necessary to regenerate the Makefile.in files with a fixed Automake version. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386 https://bugzilla.redhat.com/show_bug.cgi?id=838286 https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html ======================== Updated packages in core/updates_testing: ======================== automake-1.11.1-3.1.mga1 automake-1.11.3-1.1.mga2 from SRPMS: automake-1.11.1-3.1.mga1.src.rpm automake-1.11.3-1.1.mga2.src.rpm
Mandriva has issued an advisory for this today (July 12): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:103 We could use their text for the CVE description since I couldn't find a good one yesterday. A race condition in automake (lib/am/distdir.am) could allow a local attacker to run arbitrary code with the privileges of the user running make distcheck (CVE-2012-3386).
I just took a closer look at Mandriva's work...we also need to patch automake1.7 and possibly automake1.4. Oops :o(
OK, automake1.7 updates are patched for Cauldron, Mageia 2, and Mageia 1. automake1.4 code is totally different, but it had the same vulnerability. It was already previously fixed and was called CVE-2009-4029. Also for QA, I found the PoC for this, it's right in the patch (at the bottom)! http://svnweb.mageia.org/packages/updates/2/automake/current/SOURCES/automake-distcheck.diff?revision=269551&view=markup Advisory: ======================== Updated automake package fixes security vulnerability: A race condition in automake (lib/am/distdir.am) could allow a local attacker to run arbitrary code with the privileges of the user running make distcheck (CVE-2012-3386). Please note that this vulnerability impacts not only the Automake package itself, but all packages with Automake-generated makefiles. For an effective fix it is necessary to regenerate the Makefile.in files with a fixed Automake version. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386 https://bugzilla.redhat.com/show_bug.cgi?id=838286 https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:103 ======================== Updated packages in core/updates_testing: ======================== automake-1.11.1-3.1.mga1 automake1.7-1.7.9-13.1.mga1 automake-1.11.3-1.1.mga2 automake1.7-1.7.9-13.1.mga2 from SRPMS: automake-1.11.1-3.1.mga1.src.rpm automake1.7-1.7.9-13.1.mga1.src.rpm automake-1.11.3-1.1.mga2.src.rpm automake1.7-1.7.9-13.1.mga2.src.rpm
OK, we have advisories and updated packages, what should we do to get this bug closed?
(In reply to comment #11) > OK, we have advisories and updated packages, what should we do to get this bug > closed? They need to be tested (by someone other than you and I since we packaged them) to verify that they work OK. Given that it's a development tool, it'd probably be good to recruit some packagers to test them.
Testing Mageia 1 32 bits complete. I rebuilt the referencer and hplip packages. The first one uses autoreconf and the second one automake in the spec file. Build went fine.
Testing Mageia 1 64 bits complete.
Tested Mageia 2 x86_64 builds of both referencer and hplip packages first without and then with the update candidate of automake package, there were no differences in the build logs that I could detect and all builds completed correctly.
Thanks barry. Now we just need testing on Mageia 2 i586 and the update will go.
Testing complete on Mageia 2 i586. Update validated. No linking required. Thanks! See comment #10 for advisory and packages.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0193