Race condition by creation of "distdir" based directory hierarchy (original) (raw)

Description Jan Lieskovsky 2009-11-30 10:57:10 UTC

Jim Meyering found a race condition in the way Automake used to prepare content of directories hierarchy (top-level directory and its subdirectories), when the "distdir" based Automake target was used. A local attacker could use this flaw to inject malicious content into the resulting directory and potentially subsequently execute arbitrary code with the privileges of the user issuing the "./configure" command.

Upstream patch:

http://thread.gmane.org/gmane.comp.sysutils.automake.patches/3743

Comment 2 Jan Lieskovsky 2009-11-30 11:48:24 UTC

This issue affects the versions of the automake package, as shipped with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the automake package, as shipped with Fedora release of 10, 11, and 12.

Comment 19 Fedora Update System 2010-01-02 03:29:25 UTC

automake-1.11.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2010-02-01 01:11:23 UTC

automake-1.11.1-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Tomas Hoger 2010-02-16 08:02:33 UTC

Affected Makefile targets (thanks to Jim for assembling the list):

dist distcheck dist-gzip dist-bzip2 dist-lzma dist-xz dist-tarZ dist-shar dist-zip

Some dist-* targets may not be supported by older automake versions.

Comment 44 Fedora Update System 2010-03-04 00:04:11 UTC

automake16-1.6.3-18.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.

Comment 45 Fedora Update System 2010-03-04 00:09:52 UTC

automake15-1.5-29.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.

Comment 46 Fedora Update System 2010-03-04 00:17:55 UTC

automake14-1.4p6-20.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.

Comment 47 Fedora Update System 2010-03-04 00🔞45 UTC

automake17-1.7.9-13.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.

Comment 48 Fedora Update System 2010-03-04 00:19:05 UTC

automake15-1.5-29.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.

Comment 49 Fedora Update System 2010-03-04 00:19:32 UTC

automake17-1.7.9-13.fc12.1 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.

Comment 50 Fedora Update System 2010-03-04 00:21:51 UTC

automake16-1.6.3-18.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.

Comment 51 Fedora Update System 2010-03-04 00:23:19 UTC

automake14-1.4p6-20.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.

Comment 57 Josh Bressers 2010-08-04 19:56:40 UTC

This has been fixed.