Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426336 (CVE-2012-3386) - <sys-devel/automake-{1.11.6,1.12.2}: locally exploitable "make distcheck" bug (CVE-2012-3386)
Summary: <sys-devel/automake-{1.11.6,1.12.2}: locally exploitable "make distcheck" bug...
Status: RESOLVED FIXED
Alias: CVE-2012-3386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnu.org/archive/html/aut...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-12 16:31 UTC by taaroa
Modified: 2013-10-26 00:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-13 12:58:11 UTC
Version 1.12.2 and 1.11.6 are in tree already so that should be fine for those slots (need stable for 1.11.6 though I think).

The problem is going to be related to automake 1.4~1.10 — seems like Debian already fixed in 1.4 with their backport for CVE-2009-4029, and afaict we have the same backport for our 1.4; the question is going to be whether this is also entirely fixed by the backports for 1.5, 1.6, 1.7, 1.8 and 1.9.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-13 12:59:30 UTC
Sorry forgot to add, 1.10 lacks the backport because 1.10.3 was fixed upstream, so this bug should still be present. We might want to revisit what is using older automake and start masking the slots below 1.11 that can be migrated.
Comment 3 Sean Amoss gentoo-dev Security 2012-07-13 17:22:29 UTC
Thank you: taaroa for the report, Mike for bumping, and Diego for updating. 

May we proceed to stabilize =sys-devel/automake-1.11.6 ?
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-13 17:28:13 UTC
You might, but if you notice the summary I updated, it's not going to be solved just with stabling 1.11.6 — it's still going to be trouble for the other slots.

We have to decide whether to mask them so that they get away or if we're going to backport the fix. Debian is likely going to backport it. For the 1.4 slot we might have it backported already like Debian has, but the others are still up to debate.

So while the stable is a good idea, before involving the arches I'd like for somebody to take a look or a decision regarding the other slots.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-08-08 11:31:43 UTC
CVE-2012-3386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3386):
  The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before
  1.12.2 grants world-writable permissions to the extraction directory, which
  introduces a race condition that allows local users to execute arbitrary
  code via unspecified vectors.
Comment 6 SpanKY gentoo-dev 2012-08-13 03:04:30 UTC
1.11.6 should be good to go now
Comment 7 Agostino Sarubbo gentoo-dev 2012-08-14 12:52:21 UTC
amd64 stable
Comment 8 Jeroen Roovers gentoo-dev 2012-08-14 13:50:24 UTC
Arch teams, please test and mark stable:
=sys-devel/automake-1.12.2
Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-08-14 13:52:01 UTC
Ehm WHAT? automake-1.12 isn't safe in ~arch either, are you sure you want to mark that stable?
Comment 10 Jeroen Roovers gentoo-dev 2012-08-14 13:52:36 UTC
(In reply to comment #8)
> Arch teams, please test and mark stable:
> =sys-devel/automake-1.12.2
> Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86

Scrap that.

Arch teams, please test and mark stable:
=sys-devel/automake-1.11.6
Stable KEYWORDS : alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 11 Jeroen Roovers gentoo-dev 2012-08-15 00:30:41 UTC
Stable for HPPA.
Comment 12 Johannes Huber gentoo-dev 2012-08-15 18:45:13 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-08-19 14:53:59 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 14 Michael Weber (RETIRED) gentoo-dev 2012-08-23 14:45:11 UTC
ppc stable.
Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-20 13:21:10 UTC
ppc64 stable, last arch done
Comment 16 Sean Amoss gentoo-dev Security 2012-09-20 13:30:19 UTC
Thanks, everyone.

Adding to existing GLSA request.
Comment 17 Sean Amoss gentoo-dev Security 2012-10-02 23:37:59 UTC
@base-system, any decision yet on what to do with the older slots? We will not be able to proceed with a GLSA until then.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-10-26 00:23:56 UTC
This issue was resolved and addressed in
 GLSA 201310-15 at http://security.gentoo.org/glsa/glsa-201310-15.xml
by GLSA coordinator Chris Reffett (creffett).