Launchpad has imported 16 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=838286.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
On 2012-07-08T09:29:01+00:00 Jim wrote:
Description of problem:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.
This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.
The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.
Version-Release number of selected component (if applicable):
everything prior to v1.12.1-214-g15b8b62
How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/0
On 2012-07-08T09:34:27+00:00 Jim wrote:
Created attachment 596864
planned fix
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/1
On 2012-07-08T09:47:17+00:00 Jim wrote:
FYI, Stefano wrote:
"git blame" tells me that the offending "chmod a+w" command has been there
(ignoring trivial changes and code movements) since almost "forever" (at
least since commit 6a60072d, where configure.in defines an Automake
version of 1.4a).
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/2
On 2012-07-08T09:48:11+00:00 Jim wrote:
Stefano plans to release fixed automake in the next day or so.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/3
On 2012-07-09T07:59:11+00:00 Stefan wrote:
Thank you very much for reporting this.
Do you need a new CVE for this, or is there already a CVE
request/assignment in progress?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/4
On 2012-07-09T08:05:25+00:00 Jim wrote:
Yes, please. If you can give us a CVE number, that'd be welcome.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/5
On 2012-07-09T08:25:35+00:00 Stefan wrote:
(In reply to comment #5)
> Yes, please. If you can give us a CVE number, that'd be welcome.
Please use CVE-2012-3386 for this issue. Thanks!
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/6
On 2012-07-09T16:38:50+00:00 Jim wrote:
The patch/bug are now public:
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
In addition, GNU Automake 1.12.2 (with this fix) has been released.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/7
On 2012-07-09T17:50:43+00:00 Vincent wrote:
Created automake17 tracking bugs for this issue
Affects: fedora-all [bug 838661]
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/8
On 2012-07-09T17:50:45+00:00 Vincent wrote:
Created automake tracking bugs for this issue
Affects: fedora-all [bug 838660]
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/9
On 2012-07-10T05:48:48+00:00 Stefan wrote:
Fixed upstream in GIT and versions 1.11.6 and 1.12.2.
References:
http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
Reply at:
https://bugs.launchpad.net/ubuntu/+source/automake/+bug/1023960/comments/10
On 2013-02-20T03:49:51+00:00 Murray wrote:
Acknowledgements:
Red Hat would like to thank Jim Meyering for reporting this issue.
Upstream acknowledges Stefano Lattarini as the