Bug 426336 (CVE-2012-3386)

Comment 1 Diego Elio Pettenò (RETIRED) 2012-07-13 12:58:11 UTC

Version 1.12.2 and 1.11.6 are in tree already so that should be fine for those slots (need stable for 1.11.6 though I think).

The problem is going to be related to automake 1.4~1.10 — seems like Debian already fixed in 1.4 with their backport for CVE-2009-4029, and afaict we have the same backport for our 1.4; the question is going to be whether this is also entirely fixed by the backports for 1.5, 1.6, 1.7, 1.8 and 1.9.

Comment 2 Diego Elio Pettenò (RETIRED) 2012-07-13 12:59:30 UTC

Sorry forgot to add, 1.10 lacks the backport because 1.10.3 was fixed upstream, so this bug should still be present. We might want to revisit what is using older automake and start masking the slots below 1.11 that can be migrated.

Comment 3 Sean Amoss (RETIRED) 2012-07-13 17:22:29 UTC

Thank you: taaroa for the report, Mike for bumping, and Diego for updating. 

May we proceed to stabilize =sys-devel/automake-1.11.6 ?

Comment 4 Diego Elio Pettenò (RETIRED) 2012-07-13 17:28:13 UTC

You might, but if you notice the summary I updated, it's not going to be solved just with stabling 1.11.6 — it's still going to be trouble for the other slots.

We have to decide whether to mask them so that they get away or if we're going to backport the fix. Debian is likely going to backport it. For the 1.4 slot we might have it backported already like Debian has, but the others are still up to debate.

So while the stable is a good idea, before involving the arches I'd like for somebody to take a look or a decision regarding the other slots.

Comment 5 GLSAMaker/CVETool Bot 2012-08-08 11:31:43 UTC

CVE-2012-3386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3386):
  The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before
  1.12.2 grants world-writable permissions to the extraction directory, which
  introduces a race condition that allows local users to execute arbitrary
  code via unspecified vectors.

Comment 6 SpanKY 2012-08-13 03:04:30 UTC

1.11.6 should be good to go now

Comment 7 Agostino Sarubbo 2012-08-14 12:52:21 UTC

amd64 stable

Comment 8 Jeroen Roovers (RETIRED) 2012-08-14 13:50:24 UTC

Arch teams, please test and mark stable:
=sys-devel/automake-1.12.2
Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86

Comment 9 Diego Elio Pettenò (RETIRED) 2012-08-14 13:52:01 UTC

Ehm WHAT? automake-1.12 isn't safe in ~arch either, are you sure you want to mark that stable?

Comment 10 Jeroen Roovers (RETIRED) 2012-08-14 13:52:36 UTC

(In reply to comment #8)
> Arch teams, please test and mark stable:
> =sys-devel/automake-1.12.2
> Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86

Scrap that.

Arch teams, please test and mark stable:
=sys-devel/automake-1.11.6
Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86

Comment 11 Jeroen Roovers (RETIRED) 2012-08-15 00:30:41 UTC

Stable for HPPA.

Comment 12 Johannes Huber (RETIRED) 2012-08-15 18:45:13 UTC

x86 stable

Comment 13 Raúl Porcel (RETIRED) 2012-08-19 14:53:59 UTC

alpha/arm/ia64/m68k/s390/sh/sparc stable

Comment 14 Michael Weber (RETIRED) 2012-08-23 14:45:11 UTC

ppc stable.

Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) 2012-09-20 13:21:10 UTC

ppc64 stable, last arch done

Comment 16 Sean Amoss (RETIRED) 2012-09-20 13:30:19 UTC

Thanks, everyone.

Adding to existing GLSA request.

Comment 17 Sean Amoss (RETIRED) 2012-10-02 23:37:59 UTC

@base-system, any decision yet on what to do with the older slots? We will not be able to proceed with a GLSA until then.

Comment 18 GLSAMaker/CVETool Bot 2013-10-26 00:23:56 UTC

This issue was resolved and addressed in
 GLSA 201310-15 at http://security.gentoo.org/glsa/glsa-201310-15.xml
by GLSA coordinator Chris Reffett (creffett).