CVE-2012-3386 Automake security fix for 'make distcheck' (original) (raw)

[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU Automake 1.12.2 as well as 1.11.6 fix a locally-exploitable security-related race condition that affects "make distcheck" for all packages that use Automake.

Before the fix, the recipe of the 'distcheck' target granted temporary world-write permissions on the extracted distdir. This introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that was accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck".

It is important to stress that this vulnerability impacts not only the Automake package itself, but all packages with Automake-generated makefiles. For an effective fix it is necessary to regenerate the Makefile.in files with a fixed Automake version.

For release series older than 1.11.x, no fix has been been applied to the the git repository, and no official new release is planned that fixes the vulnerability. Users interested in having such a fix in older releases will have to apply it manually (the attached patch is what we used on the 1.11.6 and 1.12.2 release).

The issue was found and fixed by Stefano Lattarini. Jim Meyering wrote a proof-of-concept script showing that the vulnerability is easy to exploit.

0001-distcheck-never-make-part-of-distdir-world-writable.patch
Description: Text Data

• CVE-2012-3386 Automake security fix for 'make distcheck',Stefano Lattarini <=

• Prev by Date:GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!)
• Next by Date:Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)
• Previous by thread:GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!)
• Next by thread:"rm -f core" in configure
• Index(es):
  • Date
  • Thread