Summary: | sys-devel/automake: "make dist" race condition (CVE-2009-4029) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, flameeyes |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 295947 |
Description
Robert Buchholz (RETIRED)
2009-12-01 18:31:21 UTC
I guess the good side is that we should be able to patch all automake versions. The bad news is that we're going to have to patch all automake versions. Oh and the bad side is that we have no way to find out if there is any compromised tarball out there. ive added upstream 1.10.3 and 1.11.1 as they contain the fix, and ive added the upstream git commits for older ebuilds so new versions: automake-1.4_p6-r1 automake-1.5-r1 automake-1.6.3-r1 automake-1.7.9-r2 automake-1.8.5-r4 automake-1.9.6-r3 automake-1.10.3 automake-1.11.1 we should be OK to push for stabilization on these packages now ... CVE-2009-4029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4029): The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. i think the CVE text is incorrect ... the point of the 1.11.1 and 1.10.3 and related releases were to fix this CVE, not to cause it arches: see comment #3 for versions to stable (In reply to comment #7) > arches: see comment #3 for versions to stable SLOT=1.11 is excluded I assume. there is Bug 295947 to track automake 1.11 stabilization if you dont want to do it right away Stable for HPPA (except 1.11.1). x86 stable ppc64 done except for -1.11.x amd64/arm stable Marked ppc stable. alpha/ia64/m68k/s390/sh/sparc stable GLSA request filed. This issue was resolved and addressed in GLSA 201310-15 at http://security.gentoo.org/glsa/glsa-201310-15.xml by GLSA coordinator Chris Reffett (creffett). |