From ${URL} : It was discovered [1] that there's an issue in how automake handles temp directories. When the destination directory does not exist, install-sh checks if "mkdir -p" works, but it does so in an insecure way. Here are the relevant parts of the code: mkdirprog=${MKDIRPROG-mkdir} # ... tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 if (umask $mkdir_umask && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 then # ... rmdir "$tmpdir/d" "$tmpdir" else # ... In some shells (such as dash) $RANDOM is not set, so $tmpdir is easily predictable. Moreover, "mkdir -p" follows symlinks to existing directories. Local attacker can exploit this to create or remove empty directories named "d". (But on modern Linux systems this is mitigated by the protected_symlinks feature.) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This has not been touched since 2014 any updates?
looks like upstream still hasn't reviewed/merged it
Spanky and RedHat has it as "WontFix" ... what would you like to do?
From URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760455 We believe that the bug you reported is fixed in the latest version of automake-1.15, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 760455@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software Portage stills uses 1.11 and 1.15 as stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43d394421ca6fcc030952d60200f2888fcd37cb6 commit 43d394421ca6fcc030952d60200f2888fcd37cb6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-02-25 01:39:04 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-02-25 01:58:45 +0000 sys-devel/automake: Rev bump to address several issues Ebuild changes: =============== - EAPI bumped to EAPI=6 (1.9.x-1.14.x). - Avoid (low risk) race in /tmp (1.10.x-1.15.x). [Bug 522638] - Avoid makeinfo requirement when bootstraping (1.14.x-1.15.x). [Bug 628912] - Fix man4.test failure (1.11.x). [Bug 583108] - Add Python 2.7 requirement for test suite. [Bug 483358, 623432] - Fix test failures when using >=app-arch/gzip-1.8 (1.14.x). [Bug 604570] - Updated GIT/SRC_URI to use HTTPS (1.14.x-1.15.x). - Live ebuild updated with changes from above (9999). Closes: https://bugs.gentoo.org/583108 Closes: https://bugs.gentoo.org/483358 Closes: https://bugs.gentoo.org/623432 Closes: https://bugs.gentoo.org/604570 Bug: https://bugs.gentoo.org/522638 Package-Manager: Portage-2.3.24, Repoman-2.3.6 sys-devel/automake/automake-1.10.3-r3.ebuild | 95 +++++++++++++++++ sys-devel/automake/automake-1.11.6-r3.ebuild | 106 +++++++++++++++++++ sys-devel/automake/automake-1.12.6-r2.ebuild | 93 +++++++++++++++++ sys-devel/automake/automake-1.13.4-r2.ebuild | 94 +++++++++++++++++ sys-devel/automake/automake-1.14.1-r2.ebuild | 112 +++++++++++++++++++++ sys-devel/automake/automake-1.15.1-r2.ebuild | 112 +++++++++++++++++++++ sys-devel/automake/automake-1.9.6-r5.ebuild | 95 +++++++++++++++++ sys-devel/automake/automake-9999.ebuild | 40 +++++--- ....11-install-sh-avoid-low-risk-race-in-tmp.patch | 77 ++++++++++++++ ...utomake-1.13-perl-escape-curly-bracket-r1.patch | 37 +++++++ .../automake/files/automake-1.14-gzip-fix.patch | 67 ++++++++++++ ....14-install-sh-avoid-low-risk-race-in-tmp.patch | 77 ++++++++++++++ ....15-install-sh-avoid-low-risk-race-in-tmp.patch | 82 +++++++++++++++ .../files/automake-1.9.6-ignore-comments-r1.patch | 29 ++++++ .../automake-1.9.6-include-dir-prefix-r1.patch | 31 ++++++ .../automake-1.9.6-infopage-namechange-r1.patch | 33 ++++++ 16 files changed, 1167 insertions(+), 13 deletions(-)}
@ Arches, please test and mark stable: =sys-devel/automake-1.9.6-r5 =sys-devel/automake-1.10.3-r3 =sys-devel/automake-1.11.6-r3 =sys-devel/automake-1.12.6-r2 =sys-devel/automake-1.13.4-r2 =sys-devel/automake-1.14.1-r2 =sys-devel/automake-1.15.1-r2 TARGET KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
ppc stable
amd64 stable
ia64 stable
commit 97b4e66d71023608aec6c0c9d75e47d68e8b0fb7 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Sun Mar 4 12:04:00 2018 +0100 sys-devel/automake: stable 1.15.1-r2 for sparc, bug #522638
arm64 stable (only SLOTs we had stable before)
Stable on alpha.
ppc64 stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a9e1eb2f8607d0297ff740766d91c7438f6026f commit 8a9e1eb2f8607d0297ff740766d91c7438f6026f Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-03-14 15:31:02 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-03-14 15:31:02 +0000 sys-devel/automake: Drop insecure revisions Bug: https://bugs.gentoo.org/522638 Package-Manager: Portage-2.3.24, Repoman-2.3.6 sys-devel/automake/automake-1.10.3-r2.ebuild | 82 ----------------------- sys-devel/automake/automake-1.11.6-r2.ebuild | 91 -------------------------- sys-devel/automake/automake-1.12.6-r1.ebuild | 80 ----------------------- sys-devel/automake/automake-1.12.6.ebuild | 79 ---------------------- sys-devel/automake/automake-1.13.4-r1.ebuild | 85 ------------------------ sys-devel/automake/automake-1.14.1-r1.ebuild | 97 --------------------------- sys-devel/automake/automake-1.15.1-r1.ebuild | 98 ---------------------------- sys-devel/automake/automake-1.9.6-r4.ebuild | 83 ----------------------- 8 files changed, 695 deletions(-)}
hppa was done too
GLSA Vote: No Older insecure versions are masked in tree.
commit 37da1c2bd5337066636d392e4f26e94d1f7f1b13 Author: Mike Frysinger <vapier@gentoo.org> Date: Wed Mar 28 23:32:39 2018 -0400 sys-devel/automake: mark 1.9.6-r5/1.10.3-r3/1.11.6-r3/1.12.6-r2/1.13.4-r2/1.14.1-r2/1.15.1-r2 arm64/m68k/s390/sh stable
