Vulnerability identifier: #VU32693

Vulnerability risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-3386

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Automake
Other software / Other software solutions

Vendor: GNU

Description

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Automake: 1.11.1 - 1.11.5

---

External links
http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089187.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087538.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087665.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00038.html
http://rhn.redhat.com/errata/RHSA-2013-0526.html
http://www.mandriva.com/security/advisories?name=MDVSA-2012:103
http://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
http://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
http://lists.gnu.org/archive/html/automake/2012-07/msg00023.html

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.