(CVE-2012-3386) CVE-2012-3386 automake: locally exploitable "make distcheck" bug

Description of problem:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.

This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

Version-Release number of selected component (if applicable):
  everything prior to v1.12.1-214-g15b8b62

How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.

Created attachment 596864
planned fix

FYI, Stefano wrote:

  "git blame" tells me that the offending "chmod a+w" command has been there
  (ignoring trivial changes and code movements) since almost "forever" (at
  least since commit 6a60072d, where configure.in defines an Automake
  version of 1.4a).

Stefano plans to release fixed automake in the next day or so.

Thank you very much for reporting this.

Do you need a new CVE for this, or is there already a CVE request/assignment in progress?

Yes, please. If you can give us a CVE number, that'd be welcome.

(In reply to comment #5)
> Yes, please. If you can give us a CVE number, that'd be welcome.

Please use CVE-2012-3386 for this issue. Thanks!

The patch/bug are now public:

  http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572

In addition, GNU Automake 1.12.2 (with this fix) has been released.

Created automake17 tracking bugs for this issue

Affects: fedora-all [bug 838661]

Created automake tracking bugs for this issue

Affects: fedora-all [bug 838660]

Fixed upstream in GIT and versions 1.11.6 and 1.12.2.

References:

http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html

Acknowledgements:

Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges Stefano Lattarini as the original reporter.

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0526 https://rhn.redhat.com/errata/RHSA-2013-0526.html

Statement:

This issue affects the version of automake15, automake16 and automake17 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of automake15 and automake16 as shipped with Red Hat Enterprise Linux 6. A future update may address this flaw in various affected versions of automake.

IssueDescription:

It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1243 https://rhn.redhat.com/errata/RHSA-2014-1243.html