Permissions, Privileges, and Access Controls in automake (Alpine package)

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU32693

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2012-3386

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

automake (Alpine package): 1.11-r0 - 1.11.1-r0

CPE2.3

• cpe:2.3:o:alpine:automake_alpine_package:1.11-r0:*:*:*:*:alpine_linux:*:1.9
• cpe:2.3:o:alpine:automake_alpine_package:1.11.1-r0:*:*:*:*:alpine_linux:*:2.3

External links

https://git.alpinelinux.org/aports/commit/?id=b2343efd22068339ff40fa6f2843c0dc091b1a99
https://git.alpinelinux.org/aports/commit/?id=34b273c51b4fce732e99c67ea3f9100ae6fbddbe
https://git.alpinelinux.org/aports/commit/?id=062bb700ce703861444fbd608806926be84424e6
https://git.alpinelinux.org/aports/commit/?id=1115258c16958c17094b9a4a8bd1c70b32727e5e
https://git.alpinelinux.org/aports/commit/?id=dae12d8f92abd8d0e1836b5430613ef6408b9114
https://git.alpinelinux.org/aports/commit/?id=a3b337c04610053a647eb283518f6be19f07f7bf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.