45646 2004-03-24 14:26 0000 GNU Automake <1.8.3: Insecure Temporary Directory Creation Symbolic Link Vulnerability 2004-04-08 07:36:10 0000 1 1 1 Unclassified Gentoo Security GLSA Errors unspecified All Linux RESOLVED FIXED http://www.securityfocus.com/bid/9816/info/ P2 normal --- 1 schaedpq2@gmx.de security@gentoo.org base-system@gentoo.org mr_bones_@gentoo.org schaedpq2@gmx.de 2004-03-24 14:26:00 0000 It has been reported that GNU Automake may be prone to a symbolic link vulnerability that may allow an attacker to modify data or gain elevated privileges on a vulnerable system. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. From bugtraqs database: http://www.securityfocus.com/bid/9816/discussion/ It has been reported that GNU Automake may be prone to a symbolic link vulnerability that may allow an attacker to modify data or gain elevated privileges on a vulnerable system. This issue results due to insecure creation of directories during compilation. The attacker may potentially create symbolic links in the place of files contained in the affected directories, which may potentially lead to elevated privileges due to modification of data. GNU Automake versions prior to 1.8.3 are reported to be affected by this vulnerability. I think this is not an issue of great significance but IMHO it should be kept in mind, perhaps there is a possibility to update to 1.8.3 and get rid of older versions or at least to get 1.8.3 into portage. solar@gentoo.org 2004-03-24 18:18:25 0000 - epatch ${FILESDIR}/${P}-infopage-namechange.patch + epatch ${FILESDIR}/${PN}-1.8.2-infopage-namechange.patch In portage as KEYWORDS="~amd64 ~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~ia64 ~ppc64 ~s390" Please test. avenj@gentoo.org 2004-03-26 17:24:21 0000 Stable on AMD64. weeve@gentoo.org 2004-03-26 17:54:50 0000 Stable on sparc. solar@gentoo.org 2004-03-26 18:55:17 0000 Removing arch-maintainers from CC list and leaving remaining arches as well as adding base-system. Note to self: s390@gentoo.org has no alias agriffis@gentoo.org 2004-03-29 09:09:22 0000 stable on alpha and ia64 pylon@gentoo.org 2004-03-30 16:05:29 0000 automake-1.8.3 is now stable on ppc. Removing from Cc. avenj@gentoo.org 2004-04-02 10:30:11 0000 Marked stable on x86. solar@gentoo.org 2004-04-03 12:41:20 0000 Major arches covered now. automake-1.8.3: KEYWORDS="amd64 x86 ppc sparc alpha ~mips ~hppa ia64 ~ppc64 ~s390" gmsoft@gentoo.org 2004-04-04 03:05:08 0000 Stable on hppa. kumba@gentoo.org 2004-04-08 02:57:07 0000 Stable on mips. klieber@gentoo.org 2004-04-08 07:36:10 0000 GLSA 200404-08