Bug 45646 - GNU Automake <1.8.3: Insecure Temporary Directory Creation Symbolic Link Vulnerability
Bug#: 45646 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: schaedpq2@gmx.de
Component: GLSA Errors
URL:  http://www.securityfocus.com/bid/9816/info/
Summary: GNU Automake <1.8.3: Insecure Temporary Directory Creation Symbolic Link Vulnerability
Keywords:  
Status Whiteboard: 
Opened: 2004-03-24 14:26 0000
Description:   Opened: 2004-03-24 14:26 0000 
It has been reported that GNU Automake may be prone to a symbolic link
vulnerability that may allow an attacker to modify data or gain elevated
privileges on a vulnerable system.

Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.




From bugtraqs database:
http://www.securityfocus.com/bid/9816/discussion/

It has been reported that GNU Automake may be prone to a symbolic link
vulnerability that may allow an attacker to modify data or gain elevated
privileges on a vulnerable system. This issue results due to insecure creation
of directories during compilation. The attacker may potentially create symbolic
links in the place of files contained in the affected directories, which may
potentially lead to elevated privileges due to modification of data.

GNU Automake versions prior to 1.8.3 are reported to be affected by this
vulnerability.

I think this is not an issue of great significance but IMHO it should be kept
in
mind, perhaps there is a possibility to update to 1.8.3 and get rid of older
versions or at least to get 1.8.3 into portage.

------- Comment #1 From solar 2004-03-24 18:18:25 0000 ------- 
-	epatch ${FILESDIR}/${P}-infopage-namechange.patch
+	epatch ${FILESDIR}/${PN}-1.8.2-infopage-namechange.patch

In portage as
KEYWORDS="~amd64 ~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~ia64 ~ppc64 ~s390"

Please test.

------- Comment #2 From Jon Portnoy (RETIRED) 2004-03-26 17:24:21 0000 ------- 
Stable on AMD64.

------- Comment #3 From Jason Wever (RETIRED) 2004-03-26 17:54:50 0000 ------- 
Stable on sparc.

------- Comment #4 From solar 2004-03-26 18:55:17 0000 ------- 
Removing arch-maintainers from CC list and leaving remaining 
arches as well as adding base-system.

Note to self: s390@gentoo.org has no alias

------- Comment #5 From Aron Griffis (RETIRED) 2004-03-29 09:09:22 0000 ------- 
stable on alpha and ia64

------- Comment #6 From Lars Weiler (RETIRED) 2004-03-30 16:05:29 0000 ------- 
automake-1.8.3 is now stable on ppc.  Removing from Cc.

------- Comment #7 From Jon Portnoy (RETIRED) 2004-04-02 10:30:11 0000 ------- 
Marked stable on x86.

------- Comment #8 From solar 2004-04-03 12:41:20 0000 ------- 
Major arches covered now.

automake-1.8.3:
KEYWORDS="amd64 x86 ppc sparc alpha ~mips ~hppa ia64 ~ppc64 ~s390"

------- Comment #9 From Guy Martin 2004-04-04 03:05:08 0000 ------- 
Stable on hppa.

------- Comment #10 From Joshua Kinard 2004-04-08 02:57:07 0000 ------- 
Stable on mips.

------- Comment #11 From Kurt Lieber 2004-04-08 07:36:10 0000 ------- 
GLSA 200404-08