Permissions, Privileges, and Access Controls in GNU Automake

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU32693

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-3386

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Automake: 1.11.1 - 1.11.5

CPE2.3

• cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
• cpe:2.3:a:gnu:automake:1.11.2:*:*:*:*:*:*:*
• cpe:2.3:a:gnu:automake:1.11.3:*:*:*:*:*:*:*

External links

http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089187.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087538.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087665.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00038.html
http://rhn.redhat.com/errata/RHSA-2013-0526.html
http://www.mandriva.com/security/advisories?name=MDVSA-2012:103
http://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
http://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
http://lists.gnu.org/archive/html/automake/2012-07/msg00023.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.