Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 45646

Summary: GNU Automake <1.8.3: Insecure Temporary Directory Creation Symbolic Link Vulnerability
Product: Gentoo Security Reporter: schaedpq
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, mr_bones_
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/bid/9816/info/
Whiteboard:
Package list:
Runtime testing required: ---

Description schaedpq 2004-03-24 14:26:00 UTC 
It has been reported that GNU Automake may be prone to a symbolic link vulnerability that may allow an attacker to modify data or gain elevated privileges on a vulnerable system.

Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.




From bugtraqs database:
http://www.securityfocus.com/bid/9816/discussion/

It has been reported that GNU Automake may be prone to a symbolic link
vulnerability that may allow an attacker to modify data or gain elevated
privileges on a vulnerable system. This issue results due to insecure creation
of directories during compilation. The attacker may potentially create symbolic
links in the place of files contained in the affected directories, which may
potentially lead to elevated privileges due to modification of data.

GNU Automake versions prior to 1.8.3 are reported to be affected by this
vulnerability.

I think this is not an issue of great significance but IMHO it should be kept in
mind, perhaps there is a possibility to update to 1.8.3 and get rid of older
versions or at least to get 1.8.3 into portage.
Comment 1 solar (RETIRED) gentoo-dev 2004-03-24 18:18:25 UTC 
-	epatch ${FILESDIR}/${P}-infopage-namechange.patch
+	epatch ${FILESDIR}/${PN}-1.8.2-infopage-namechange.patch

In portage as
KEYWORDS="~amd64 ~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~ia64 ~ppc64 ~s390"

Please test.
Comment 2 Jon Portnoy (RETIRED) gentoo-dev 2004-03-26 17:24:21 UTC 
Stable on AMD64.
Comment 3 Jason Wever (RETIRED) gentoo-dev 2004-03-26 17:54:50 UTC 
Stable on sparc.
Comment 4 solar (RETIRED) gentoo-dev 2004-03-26 18:55:17 UTC 
Removing arch-maintainers from CC list and leaving remaining 
arches as well as adding base-system.

Note to self: s390@gentoo.org has no alias
Comment 5 Aron Griffis (RETIRED) gentoo-dev 2004-03-29 09:09:22 UTC 
stable on alpha and ia64
Comment 6 Lars Weiler (RETIRED) gentoo-dev 2004-03-30 16:05:29 UTC 
automake-1.8.3 is now stable on ppc.  Removing from Cc.
Comment 7 Jon Portnoy (RETIRED) gentoo-dev 2004-04-02 10:30:11 UTC 
Marked stable on x86.
Comment 8 solar (RETIRED) gentoo-dev 2004-04-03 12:41:20 UTC 
Major arches covered now.

automake-1.8.3:
KEYWORDS="amd64 x86 ppc sparc alpha ~mips ~hppa ia64 ~ppc64 ~s390"
Comment 9 Guy Martin (RETIRED) gentoo-dev 2004-04-04 03:05:08 UTC 
Stable on hppa.
Comment 10 Joshua Kinard gentoo-dev 2004-04-08 02:57:07 UTC 
Stable on mips.
Comment 11 Kurt Lieber (RETIRED) gentoo-dev 2004-04-08 07:36:10 UTC 
GLSA 200404-08