Bug 770618 - VUL-1: CVE-2012-3386: automake: race condition in "distcheck"
VUL-1: CVE-2012-3386: automake: race condition in "distcheck"
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:54019 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-10 08:51 UTC by Matthias Weckbecker
Modified: 2013-08-14 05:53 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-07-10 08:51:48 UTC
"distcheck" makes $(distdir) world-writable which could be exploited
by local attackers to alter files which they would normally not have
permissions for via a race condition flaw.

More information (including patch proposal) available at:

  http://article.gmane.org/gmane.comp.sysutils.automake.patches/8572
Comment 1 Matthias Weckbecker 2012-07-10 08:56:19 UTC
Note: Basically all SLE products are affected by this issue.
Comment 2 Matthias Weckbecker 2012-07-10 09:03:05 UTC
Possibly workaround would be to use a restricted umask(1p) value. This is
advisable anyway.
Comment 4 Arun Persaud 2012-10-22 03:44:05 UTC
What's the status on this? automake 1.12.2 has been out for a while with a fix, but I haven't seen an update. The devel package for automake on the build server is already at 1.12.3:

https://build.opensuse.org/package/files?package=automake&project=devel%3Atools%3Abuilding

Would be great, if an update could be generated for 12.2.
Comment 5 Matthias Weckbecker 2012-10-22 12:29:57 UTC
Feel free to submit previously included pkg + fix.
Comment 6 Matthias Weckbecker 2012-10-24 08:42:37 UTC
Note. I have just submitted to 12.2.
Comment 7 Marcus Meissner 2012-10-24 17:12:30 UTC
Does this issue have really two cves?
 CVE-2009-4029: 
 CVE-2012-3386:
Comment 8 Matthias Weckbecker 2012-10-24 19:00:01 UTC
Yes, it does. And it's for a reason. The difference is simply that it affects
other parts of code of Automake plus different versions => two different flaws.

Versions:
---------
CVE-2009-4029: 1.11.1, 1.10.3
CVE-2012-3386: 1.11.6 and 1.12.x before 1.12.2

Code:
---------
CVE-2009-4029: https://bugzilla.novell.com/show_bug.cgi?id=559815#c1
CVE-2012-3386: see link in c#0

Gonna return to BVB vs. Real Madrid now. :)
Comment 9 Swamp Workflow Management 2012-11-21 13:08:34 UTC
openSUSE-SU-2012:1519-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 770618
CVE References: CVE-2012-3386
Sources used:
openSUSE 12.2 (src):    automake-1.12.1-1.5.1, automake-testsuite-1.12.1-1.5.2
Comment 10 wendy palm 2013-04-04 17:38:50 UTC
are we going to get a fix applied to SLE SP2?
Comment 11 Swamp Workflow Management 2013-04-05 14:51:03 UTC
The SWAMPID for this issue is 52047.
This issue was rated as low.
Please submit fixed packages until 2013-05-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 12 Marcus Meissner 2013-04-05 14:51:56 UTC
i suspect we will never ever be seeing another bug for automake in old codebases again, so Philipp, please submit a fixed automake for SLE11
Comment 13 Matthias Weckbecker 2013-04-08 11:39:58 UTC
I agree with Marcus. We should (finally) fix it. It has already been there for
quite a while.
Comment 15 Philipp Thomas 2013-05-27 10:37:32 UTC
Fixed packages submitted:
  SLE11 SP2 26639
  SLE11 SP3 26638
Comment 16 Matthias Weckbecker 2013-05-27 11:44:10 UTC
SLE11-SP2 submissions fails to build apparently.
Comment 17 Philipp Thomas 2013-05-27 14:59:23 UTC
Yes, I forgot to add Bison to BuildRequires both in SP2 and SP3. I've resubmitted the packages with this added and checked that they build successfully.
Comment 18 Marcus Meissner 2013-05-27 15:02:16 UTC
as there is no reason for a SP3 submission and it was not requested, please revoke the SP3 request.
Comment 19 Philipp Thomas 2013-05-27 15:22:19 UTC
OK, revoked the old sr and issued 26729 for SLE-11:Update:Test.
Comment 20 Marcus Meissner 2013-05-28 12:25:17 UTC
still not building.

did you checkin the "bison" addition?
Comment 22 Philipp Thomas 2013-05-28 14:02:12 UTC
I did but accidentally required Bison which of cause can't be provided. Building starts properly so I'll submit it.
Comment 23 Marcus Meissner 2013-06-03 05:06:50 UTC
Philipp? Please submit fixed packages...
Comment 24 Marcus Meissner 2013-06-14 05:57:40 UTC
hello? :(
Comment 25 Philipp Thomas 2013-07-05 14:15:05 UTC
Submitted as sr 27545.
Comment 26 Marcus Meissner 2013-07-05 15:00:24 UTC
Request: #27545

  submit:       home:psmt:branches:SUSE:SLE-11:Update:Test/automake(cleanup) -> SUSE:SLE-11:Update:Test


Message:
Fix vulnerability in automake

State:   declined   2013-07-05T14:18:04 leonardocf
Comment: E: The package fails to build, please check

Review:  declined   Group: maintenance-team                            2013-07-05T14:14:28 leonardocf            E: The package fails to build, please check

And yes, it did not build.

Neither on May 28, nor today.
Comment 27 Ruediger Oertel 2013-07-22 13:10:17 UTC
still no package here, and 5 patchinfos in the queue without a package over
several months are really annoying ...
Comment 29 Philipp Thomas 2013-08-05 08:02:25 UTC
Finally the package built (locally) for SLE11. If it also builds in the OBS we can finally move on.
Comment 33 Swamp Workflow Management 2013-08-13 18:04:21 UTC
Update released for: automake
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 34 Swamp Workflow Management 2013-08-13 18:52:14 UTC
Update released for: automake
Products:
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 35 Swamp Workflow Management 2013-08-13 19:47:37 UTC
Update released for: automake
Products:
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 36 Marcus Meissner 2013-08-14 05:53:41 UTC
released