Permissions, Privileges, and Access Controls in libpng (Alpine package)

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU32693

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-3386

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libpng (Alpine package): 1.4.11-r0

CPE2.3

• cpe:2.3:o:alpine:libpng_alpine_package:1.4.11-r0:*:*:*:*:alpine_linux:*:

External links

http://git.alpinelinux.org/aports/commit/?id=b2343efd22068339ff40fa6f2843c0dc091b1a99
http://git.alpinelinux.org/aports/commit/?id=34b273c51b4fce732e99c67ea3f9100ae6fbddbe
http://git.alpinelinux.org/aports/commit/?id=062bb700ce703861444fbd608806926be84424e6
http://git.alpinelinux.org/aports/commit/?id=1115258c16958c17094b9a4a8bd1c70b32727e5e
http://git.alpinelinux.org/aports/commit/?id=dae12d8f92abd8d0e1836b5430613ef6408b9114
http://git.alpinelinux.org/aports/commit/?id=a3b337c04610053a647eb283518f6be19f07f7bf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.