[Bug 1023960] Re: (CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug
Michael Leveillee
1023960 at bugs.launchpad.net
Thu Feb 8 16:30:05 UTC 2018
** Changed in: automake (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to automake in Ubuntu.
https://bugs.launchpad.net/bugs/1023960
Title:
(CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make
distcheck" bug
Status in automake package in Ubuntu:
Incomplete
Status in automake package in Debian:
Fix Released
Status in automake package in Fedora:
Fix Released
Bug description:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.
This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.
The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.
Version-Release number of selected component (if applicable):
everything prior to v1.12.1-214-g15b8b62
How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/+subscriptions
More information about the foundations-bugs
mailing list