Summary: | <sys-devel/automake-{1.11.6,1.12.2}: locally exploitable "make distcheck" bug (CVE-2012-3386) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | taaroa <taaroa> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.gnu.org/archive/html/automake/2012-07/msg00023.html | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
taaroa
2012-07-12 16:31:55 UTC
Version 1.12.2 and 1.11.6 are in tree already so that should be fine for those slots (need stable for 1.11.6 though I think). The problem is going to be related to automake 1.4~1.10 — seems like Debian already fixed in 1.4 with their backport for CVE-2009-4029, and afaict we have the same backport for our 1.4; the question is going to be whether this is also entirely fixed by the backports for 1.5, 1.6, 1.7, 1.8 and 1.9. Sorry forgot to add, 1.10 lacks the backport because 1.10.3 was fixed upstream, so this bug should still be present. We might want to revisit what is using older automake and start masking the slots below 1.11 that can be migrated. Thank you: taaroa for the report, Mike for bumping, and Diego for updating. May we proceed to stabilize =sys-devel/automake-1.11.6 ? You might, but if you notice the summary I updated, it's not going to be solved just with stabling 1.11.6 — it's still going to be trouble for the other slots. We have to decide whether to mask them so that they get away or if we're going to backport the fix. Debian is likely going to backport it. For the 1.4 slot we might have it backported already like Debian has, but the others are still up to debate. So while the stable is a good idea, before involving the arches I'd like for somebody to take a look or a decision regarding the other slots. CVE-2012-3386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3386): The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. 1.11.6 should be good to go now amd64 stable Arch teams, please test and mark stable: =sys-devel/automake-1.12.2 Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 Ehm WHAT? automake-1.12 isn't safe in ~arch either, are you sure you want to mark that stable? (In reply to comment #8) > Arch teams, please test and mark stable: > =sys-devel/automake-1.12.2 > Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 Scrap that. Arch teams, please test and mark stable: =sys-devel/automake-1.11.6 Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 Stable for HPPA. x86 stable alpha/arm/ia64/m68k/s390/sh/sparc stable ppc stable. ppc64 stable, last arch done Thanks, everyone. Adding to existing GLSA request. @base-system, any decision yet on what to do with the older slots? We will not be able to proceed with a GLSA until then. This issue was resolved and addressed in GLSA 201310-15 at http://security.gentoo.org/glsa/glsa-201310-15.xml by GLSA coordinator Chris Reffett (creffett). |