* Stefano Lattarini (stefano.lattar...@gmail.com) wrote: > On 07/12/2012 08:23 PM, Eric Dorland wrote: > > * Stefano Lattarini (stefano.lattar...@gmail.com) wrote: > >> On 07/10/2012 12:14 AM, Eric Dorland wrote: > >>> > >>> Are older versions of automake also vulnerable? > >>> > >> Yes, all those back to 1.4 (at least). Sorry for not stating that > >> explicitly. > > > > So I'm not obviously finding this vulnerability in automake 1.4. The > > code has changed a lot clearly since then, but I'm not even finding a > > chmod that looks similar. Can anyone confirm this problem is present > > in automake 1.4? > > > > ------------------ > Git Repository > ------------------ > > $ git clone git://git.savannah.gnu.org/automake.git > $ cd automake > $ git checkout Release-1-4-p6 > $ git grep -C3 'chmod 777.*distdir' > Makefile.in-distdir: $(DISTFILES) > Makefile.in- -rm -rf $(distdir) > Makefile.in- mkdir $(distdir) > Makefile.in: -chmod 777 $(distdir) > Makefile.in- here=`cd $(top_builddir) && pwd`; \ > Makefile.in- top_distdir=`cd $(distdir) && pwd`; \ > Makefile.in- distdir=`cd $(distdir) && pwd`; \
Thanks! It looks like this was actually fixed in Debian a few years ago as part of the CVE-2009-4029 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4029) fix. Patch attached. You can see the source for the package at http://anonscm.debian.org/gitweb/?p=users/eric/automake.git;a=summary. Looks good? -- Eric Dorland <e...@kuroneko.ca> ICQ: #61138586, Jabber: ho...@jabber.com
commit 1b276fa9a29e624d19745581f37ab6f516329964
Author: Eric Dorland <e...@debian.org>
Date: Sat May 26 23:06:59 2012 -0400
Non-maintainer upload by the Security Team.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-4029: do not assign insecure permissions to directories in
build tree.
diff --git a/Makefile.in b/Makefile.in
index 73f4cf3..b38b279 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -457,7 +457,7 @@ dist-all: distdir
distdir: $(DISTFILES)
-rm -rf $(distdir)
mkdir $(distdir)
- -chmod 777 $(distdir)
+ -chmod 755 $(distdir)
here=`cd $(top_builddir) && pwd`; \
top_distdir=`cd $(distdir) && pwd`; \
distdir=`cd $(distdir) && pwd`; \
@@ -478,7 +478,7 @@ distdir: $(DISTFILES)
test -d $(distdir)/$$subdir \
|| mkdir $(distdir)/$$subdir \
|| exit 1; \
- chmod 777 $(distdir)/$$subdir; \
+ chmod 755 $(distdir)/$$subdir; \
(cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
|| exit 1; \
fi; \
diff --git a/automake.in b/automake.in
index 059a034..741a086 100755
--- a/automake.in
+++ b/automake.in
@@ -2336,7 +2336,7 @@ sub handle_dist_worker
# Create dist directory.
$output_rules .= ("\t-rm -rf \$(distdir)\n"
. "\tmkdir \$(distdir)\n"
- . "\t-chmod 777 \$(distdir)\n");
+ . "\t-chmod 755 \$(distdir)\n");
}
# Only run automake in `dist' target if --include-deps and
@@ -2468,7 +2468,7 @@ sub handle_dist_worker
. "\t" . ' test -d $(distdir)/$$subdir ' . "\\\n"
. "\t" . ' || mkdir $(distdir)/$$subdir ' . "\\\n"
. "\t" . ' || exit 1; ' . "\\\n"
- . "\t" . ' chmod 777 $(distdir)/$$subdir; ' . "\\\n"
+ . "\t" . ' chmod 755 $(distdir)/$$subdir; ' . "\\\n"
. "\t" . ' (cd $$subdir'
. ' && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$('
. (($relative_dir eq '.') ? 'distdir' : 'top_distdir')
diff --git a/debian/changelog b/debian/changelog
index b9316b8..7b9d82e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+automake (1:1.4-p6-13.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fixed CVE-2009-4029: do not assign insecure permissions to directories in
+ build tree.
+
+ -- Giuseppe Iuculano <iucul...@debian.org> Mon, 08 Mar 2010 23:10:11 +0100
+
automake (1:1.4-p6-13) unstable; urgency=low
* debian/rules:
signature.asc
Description: Digital signature
