#VU32693 Permissions, Privileges, and Access Controls in Automake - CVE-2012-3386
Vulnerability identifier: #VU32693
Vulnerability risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Automake
Other software /
Other software solutions
Vendor: GNU
Description
The vulnerability allows a local non-authenticated attacker to read and manipulate data.
The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Automake: 1.11.1 - 1.11.5
External links
https://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089187.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-September/087538.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-September/087665.html
https://lists.opensuse.org/opensuse-updates/2012-11/msg00038.html
https://rhn.redhat.com/errata/RHSA-2013-0526.html
https://www.mandriva.com/security/advisories?name=MDVSA-2012:103
https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
