Vulnerability identifier: #VU32693
Vulnerability risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Automake
Other software /
Other software solutions
Vendor: GNU
Description
The vulnerability allows a local non-authenticated attacker to read and manipulate data.
The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Automake: 1.11.1 - 1.11.5
External links
http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089187.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087538.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087665.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00038.html
http://rhn.redhat.com/errata/RHSA-2013-0526.html
http://www.mandriva.com/security/advisories?name=MDVSA-2012:103
http://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
http://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
http://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.