A security issue has been found in automake. References http://lists.gnu.org/archive/html/automake/2012-07/msg00023.html http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572 https://bugzilla.redhat.com/show_bug.cgi?id=838286 Reproducible: Always
Version 1.12.2 and 1.11.6 are in tree already so that should be fine for those slots (need stable for 1.11.6 though I think). The problem is going to be related to automake 1.4~1.10 — seems like Debian already fixed in 1.4 with their backport for CVE-2009-4029, and afaict we have the same backport for our 1.4; the question is going to be whether this is also entirely fixed by the backports for 1.5, 1.6, 1.7, 1.8 and 1.9.
Sorry forgot to add, 1.10 lacks the backport because 1.10.3 was fixed upstream, so this bug should still be present. We might want to revisit what is using older automake and start masking the slots below 1.11 that can be migrated.
Thank you: taaroa for the report, Mike for bumping, and Diego for updating. May we proceed to stabilize =sys-devel/automake-1.11.6 ?
You might, but if you notice the summary I updated, it's not going to be solved just with stabling 1.11.6 — it's still going to be trouble for the other slots. We have to decide whether to mask them so that they get away or if we're going to backport the fix. Debian is likely going to backport it. For the 1.4 slot we might have it backported already like Debian has, but the others are still up to debate. So while the stable is a good idea, before involving the arches I'd like for somebody to take a look or a decision regarding the other slots.
CVE-2012-3386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3386): The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
1.11.6 should be good to go now
amd64 stable
Arch teams, please test and mark stable: =sys-devel/automake-1.12.2 Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Ehm WHAT? automake-1.12 isn't safe in ~arch either, are you sure you want to mark that stable?
(In reply to comment #8) > Arch teams, please test and mark stable: > =sys-devel/automake-1.12.2 > Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 Scrap that. Arch teams, please test and mark stable: =sys-devel/automake-1.11.6 Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Stable for HPPA.
x86 stable
alpha/arm/ia64/m68k/s390/sh/sparc stable
ppc stable.
ppc64 stable, last arch done
Thanks, everyone. Adding to existing GLSA request.
@base-system, any decision yet on what to do with the older slots? We will not be able to proceed with a GLSA until then.
This issue was resolved and addressed in GLSA 201310-15 at http://security.gentoo.org/glsa/glsa-201310-15.xml by GLSA coordinator Chris Reffett (creffett).