Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
It has been reported that GNU Automake may be prone to a symbolic link vulnerability that may allow an attacker to modify data or gain elevated privileges on a vulnerable system. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. From bugtraqs database: http://www.securityfocus.com/bid/9816/discussion/ It has been reported that GNU Automake may be prone to a symbolic link vulnerability that may allow an attacker to modify data or gain elevated privileges on a vulnerable system. This issue results due to insecure creation of directories during compilation. The attacker may potentially create symbolic links in the place of files contained in the affected directories, which may potentially lead to elevated privileges due to modification of data. GNU Automake versions prior to 1.8.3 are reported to be affected by this vulnerability. I think this is not an issue of great significance but IMHO it should be kept in mind, perhaps there is a possibility to update to 1.8.3 and get rid of older versions or at least to get 1.8.3 into portage.
- epatch ${FILESDIR}/${P}-infopage-namechange.patch + epatch ${FILESDIR}/${PN}-1.8.2-infopage-namechange.patch In portage as KEYWORDS="~amd64 ~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~ia64 ~ppc64 ~s390" Please test.
Stable on AMD64.
Stable on sparc.
Removing arch-maintainers from CC list and leaving remaining arches as well as adding base-system. Note to self: s390@gentoo.org has no alias
stable on alpha and ia64
automake-1.8.3 is now stable on ppc. Removing from Cc.
Marked stable on x86.
Major arches covered now. automake-1.8.3: KEYWORDS="amd64 x86 ppc sparc alpha ~mips ~hppa ia64 ~ppc64 ~s390"
Stable on hppa.
Stable on mips.
GLSA 200404-08
