Bug 6749 - automake security issue (CVE-2012-3386)
: automake security issue (CVE-2012-3386)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-11 08:05 CEST by Olivier Delaune
Modified: 2012-08-02 22:24 CEST (History)
6 users (show)

See Also:
Source RPM: automake
CVE:


Attachments

Description Olivier Delaune 2012-07-11 08:05:08 CEST
From https://bugzilla.redhat.com/show_bug.cgi?id=838286

Description of problem:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.

This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.
Comment 1 Manuel Hiebel 2012-07-11 18:10:49 CEST
"everything prior to v1.12.1-214-g15b8b62" so mga1 and 2
and "The Red Hat Security Response Team has rated this issue as having low security" so we can drop the critical
Comment 2 Shlomi Fish 2012-07-11 18:28:45 CEST
Should I provide an automake-1.12.2 update for Mageia Linux 1 and 2?
Comment 3 David Walser 2012-07-11 19:06:15 CEST
(In reply to comment #2)
> Should I provide an automake-1.12.2 update for Mageia Linux 1 and 2?

No, we should just patch for this.  There is a patch attached to the RedHat bug, as well as links to GIT commits in the 1.11 and 1.12 branches to fix this.

I think upgrading automake versions can cause buildability issues in existing packages, so I wouldn't advise it.
Comment 4 Shlomi Fish 2012-07-11 19:42:09 CEST
OK, I've pushed automake-1.11.3-1.1.mga2 to Mageia 2 core/updates_testing with the patch. Please test.
Comment 5 David Walser 2012-07-11 21:38:24 CEST
Thanks.  Could you build an update for Mageia 1 as well?
Comment 6 David Walser 2012-07-12 00:09:07 CEST
OK I uploaded automake-1.11.1-3.1.mga1 to Mageia 1 core/updates_testing.
Comment 7 David Walser 2012-07-12 00:14:38 CEST
Advisory:
========================

Updated automake package fixes security vulnerability:

Before 1.12.2, the recipe of the 'distcheck' target granted temporary
world-write permissions on the extracted distdir.  This introduced
a locally exploitable race condition for those who run "make distcheck"
with a non-restrictive umask (e.g., 022) in a directory that was
accessible by others.  A successful exploit would result in arbitrary
code execution with the privileges of the user running "make distcheck"
(CVE-2012-3386).

It is important to stress that this vulnerability impacts not only
the Automake package itself, but all packages with Automake-generated
makefiles.  For an effective fix it is necessary to regenerate the
Makefile.in files with a fixed Automake version.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
https://bugzilla.redhat.com/show_bug.cgi?id=838286
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
========================

Updated packages in core/updates_testing:
========================
automake-1.11.1-3.1.mga1
automake-1.11.3-1.1.mga2

from SRPMS:
automake-1.11.1-3.1.mga1.src.rpm
automake-1.11.3-1.1.mga2.src.rpm
Comment 8 David Walser 2012-07-12 19:17:45 CEST
Mandriva has issued an advisory for this today (July 12):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:103

We could use their text for the CVE description since I couldn't find a good one yesterday.

A race condition in automake (lib/am/distdir.am) could allow a local
attacker to run arbitrary code with the privileges of the user running
make distcheck (CVE-2012-3386).
Comment 9 David Walser 2012-07-15 01:55:04 CEST
I just took a closer look at Mandriva's work...we also need to patch automake1.7 and possibly automake1.4.  Oops :o(
Comment 10 David Walser 2012-07-15 04:05:51 CEST
OK, automake1.7 updates are patched for Cauldron, Mageia 2, and Mageia 1.

automake1.4 code is totally different, but it had the same vulnerability.
It was already previously fixed and was called CVE-2009-4029.

Also for QA, I found the PoC for this, it's right in the patch (at the bottom)!
http://svnweb.mageia.org/packages/updates/2/automake/current/SOURCES/automake-distcheck.diff?revision=269551&view=markup

Advisory:
========================

Updated automake package fixes security vulnerability:

A race condition in automake (lib/am/distdir.am) could allow a local
attacker to run arbitrary code with the privileges of the user running
make distcheck (CVE-2012-3386).

Please note that this vulnerability impacts not only the Automake package
itself, but all packages with Automake-generated makefiles.  For an
effective fix it is necessary to regenerate the Makefile.in files with a
fixed Automake version.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
https://bugzilla.redhat.com/show_bug.cgi?id=838286
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:103
========================

Updated packages in core/updates_testing:
========================
automake-1.11.1-3.1.mga1
automake1.7-1.7.9-13.1.mga1
automake-1.11.3-1.1.mga2
automake1.7-1.7.9-13.1.mga2

from SRPMS:
automake-1.11.1-3.1.mga1.src.rpm
automake1.7-1.7.9-13.1.mga1.src.rpm
automake-1.11.3-1.1.mga2.src.rpm
automake1.7-1.7.9-13.1.mga2.src.rpm
Comment 11 Shlomi Fish 2012-07-20 11:49:03 CEST
OK, we have advisories and updated packages, what should we do to get this bug closed?
Comment 12 David Walser 2012-07-20 12:38:26 CEST
(In reply to comment #11)
> OK, we have advisories and updated packages, what should we do to get this bug
> closed?

They need to be tested (by someone other than you and I since we packaged them) to verify that they work OK.  Given that it's a development tool, it'd probably be good to recruit some packagers to test them.
Comment 13 Samuel Verschelde 2012-07-23 21:57:36 CEST
Testing Mageia 1 32 bits complete. I rebuilt the referencer and hplip packages. The first one uses autoreconf and the second one automake in the spec file. Build went fine.
Comment 14 Samuel Verschelde 2012-07-23 23:47:30 CEST
Testing Mageia 1 64 bits complete.
Comment 15 Barry Jackson 2012-07-31 00:33:30 CEST
Tested Mageia 2 x86_64 builds of both referencer and hplip packages first without and then with the update candidate of automake package, there were no differences in the build logs that I could detect and all builds completed correctly.
Comment 16 Samuel Verschelde 2012-07-31 00:41:19 CEST
Thanks barry. Now we just need testing on Mageia 2 i586 and the update will go.
Comment 17 Samuel Verschelde 2012-07-31 17:26:21 CEST
Testing complete on Mageia 2 i586.

Update validated. No linking required. Thanks!

See comment #10 for advisory and packages.
Comment 18 Thomas Backlund 2012-08-02 22:24:15 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0193

Note You need to log in before you can comment on or make changes to this bug.