Bugzilla – Bug 770618
VUL-1: CVE-2012-3386: automake: race condition in "distcheck"
Last modified: 2013-08-14 05:53:41 UTC
"distcheck" makes $(distdir) world-writable which could be exploited by local attackers to alter files which they would normally not have permissions for via a race condition flaw. More information (including patch proposal) available at: http://article.gmane.org/gmane.comp.sysutils.automake.patches/8572
Note: Basically all SLE products are affected by this issue.
Possibly workaround would be to use a restricted umask(1p) value. This is advisable anyway.
What's the status on this? automake 1.12.2 has been out for a while with a fix, but I haven't seen an update. The devel package for automake on the build server is already at 1.12.3: https://build.opensuse.org/package/files?package=automake&project=devel%3Atools%3Abuilding Would be great, if an update could be generated for 12.2.
Feel free to submit previously included pkg + fix.
Note. I have just submitted to 12.2.
Does this issue have really two cves? CVE-2009-4029: CVE-2012-3386:
Yes, it does. And it's for a reason. The difference is simply that it affects other parts of code of Automake plus different versions => two different flaws. Versions: --------- CVE-2009-4029: 1.11.1, 1.10.3 CVE-2012-3386: 1.11.6 and 1.12.x before 1.12.2 Code: --------- CVE-2009-4029: https://bugzilla.novell.com/show_bug.cgi?id=559815#c1 CVE-2012-3386: see link in c#0 Gonna return to BVB vs. Real Madrid now. :)
openSUSE-SU-2012:1519-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 770618 CVE References: CVE-2012-3386 Sources used: openSUSE 12.2 (src): automake-1.12.1-1.5.1, automake-testsuite-1.12.1-1.5.2
are we going to get a fix applied to SLE SP2?
The SWAMPID for this issue is 52047. This issue was rated as low. Please submit fixed packages until 2013-05-03. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
i suspect we will never ever be seeing another bug for automake in old codebases again, so Philipp, please submit a fixed automake for SLE11
I agree with Marcus. We should (finally) fix it. It has already been there for quite a while.
Fixed packages submitted: SLE11 SP2 26639 SLE11 SP3 26638
SLE11-SP2 submissions fails to build apparently.
Yes, I forgot to add Bison to BuildRequires both in SP2 and SP3. I've resubmitted the packages with this added and checked that they build successfully.
as there is no reason for a SP3 submission and it was not requested, please revoke the SP3 request.
OK, revoked the old sr and issued 26729 for SLE-11:Update:Test.
still not building. did you checkin the "bison" addition?
I did but accidentally required Bison which of cause can't be provided. Building starts properly so I'll submit it.
Philipp? Please submit fixed packages...
hello? :(
Submitted as sr 27545.
Request: #27545 submit: home:psmt:branches:SUSE:SLE-11:Update:Test/automake(cleanup) -> SUSE:SLE-11:Update:Test Message: Fix vulnerability in automake State: declined 2013-07-05T14:18:04 leonardocf Comment: E: The package fails to build, please check Review: declined Group: maintenance-team 2013-07-05T14:14:28 leonardocf E: The package fails to build, please check And yes, it did not build. Neither on May 28, nor today.
still no package here, and 5 patchinfos in the queue without a package over several months are really annoying ...
Finally the package built (locally) for SLE11. If it also builds in the OBS we can finally move on.
Update released for: automake Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: automake Products: SLE-SDK 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: automake Products: SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
released