SB2009122001 - Race condition in GNU Automake
Published: December 20, 2009 Updated: July 28, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Race condition (CVE-ID: CVE-2009-4029)
The vulnerability allows a local non-authenticated attacker to read and manipulate data.
The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
Remediation
Install update from vendor's website.
References
- http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html
- http://lists.gnu.org/archive/html/automake/2009-12/msg00011.html
- http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html
- http://lists.gnu.org/archive/html/automake/2009-12/msg00013.html
- http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html
- http://savannah.gnu.org/forum/forum.php?forum_id=6077
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021784.1-1
- http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0071
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:203
- http://www.securityfocus.com/archive/1/514526/100/0/threaded
- http://www.vupen.com/english/advisories/2009/3579
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11717