Mandriva Linux Security Advisory 2010-203 - The distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
3a077d31230594aef7aca940db8c36c6ab4de647a616eec1b67edc7fa3a96b60
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:203
http://www.mandriva.com/security/
_______________________________________________________________________
Package : automake
Date : October 13, 2010
Affected: 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0,
Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered and corrected in automake:
The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3,
and release branches branch-1-4 through branch-1-9, when producing a
distribution tarball for a package that uses Automake, assign insecure
permissions (777) to directories in the build tree, which introduces
a race condition that allows local users to modify the contents of
package files, introduce Trojan horse programs, or conduct other
attacks before the build is complete (CVE-2009-4029).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4029
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
0c9a86418e378031264bcbcbbe2b04b6 2009.0/i586/automake-1.10.1-2.1mdv2009.0.noarch.rpm
4fc2dfe601ee74ab1ef1e03e5e8a75ee 2009.0/i586/automake1.4-1.4.0.p6-4.1mdv2009.0.noarch.rpm
3d478e2d1726c94e8ae35bebf70eec05 2009.0/i586/automake1.7-1.7.9-7.1mdv2009.0.noarch.rpm
a680fb0cfb28b358ae775387e68023a6 2009.0/SRPMS/automake-1.10.1-2.1mdv2009.0.src.rpm
559b15e18ab730bb8122d3713aaf65ff 2009.0/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.0.src.rpm
fe3c9f108aa90ff63f332f3e2e3b7ddd 2009.0/SRPMS/automake1.7-1.7.9-7.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
ba63c56fa57da75dabc19a0374d677f9 2009.0/x86_64/automake-1.10.1-2.1mdv2009.0.noarch.rpm
9a9e212a84c940d8259dfc6aea307f22 2009.0/x86_64/automake1.4-1.4.0.p6-4.1mdv2009.0.noarch.rpm
fd0ade93924698734c41cd8f7e886c89 2009.0/x86_64/automake1.7-1.7.9-7.1mdv2009.0.noarch.rpm
a680fb0cfb28b358ae775387e68023a6 2009.0/SRPMS/automake-1.10.1-2.1mdv2009.0.src.rpm
559b15e18ab730bb8122d3713aaf65ff 2009.0/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.0.src.rpm
fe3c9f108aa90ff63f332f3e2e3b7ddd 2009.0/SRPMS/automake1.7-1.7.9-7.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
6209c11c3fbec0f282cb2b8a46018b40 2009.1/i586/automake-1.10.2-2.1mdv2009.1.noarch.rpm
8c008b002e2331fee7553bc9011e95da 2009.1/i586/automake1.4-1.4.0.p6-4.1mdv2009.1.noarch.rpm
6d8f3d4de2fa18b75b42d3550c3b05b1 2009.1/i586/automake1.7-1.7.9-8.1mdv2009.1.noarch.rpm
fb8bc2660685f16592c6ff4e0e59971a 2009.1/SRPMS/automake-1.10.2-2.1mdv2009.1.src.rpm
c0e18f0831a53982acfd6843f3666ae9 2009.1/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.1.src.rpm
79d9a5f762d0bba9c1ce3c0d3cdbd150 2009.1/SRPMS/automake1.7-1.7.9-8.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
f28db675bc5616a072cb8b09e6248575 2009.1/x86_64/automake-1.10.2-2.1mdv2009.1.noarch.rpm
cdbf431adc21424d42c7cbf5b7c64d14 2009.1/x86_64/automake1.4-1.4.0.p6-4.1mdv2009.1.noarch.rpm
e5a18890dc5aa550a996bfe4630dee31 2009.1/x86_64/automake1.7-1.7.9-8.1mdv2009.1.noarch.rpm
fb8bc2660685f16592c6ff4e0e59971a 2009.1/SRPMS/automake-1.10.2-2.1mdv2009.1.src.rpm
c0e18f0831a53982acfd6843f3666ae9 2009.1/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.1.src.rpm
79d9a5f762d0bba9c1ce3c0d3cdbd150 2009.1/SRPMS/automake1.7-1.7.9-8.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
51e91e71cc933f6c9cc35a0883034a45 2010.0/i586/automake-1.11-2.1mdv2010.0.noarch.rpm
4ffc72ee0e6a95eb1b3e23fe0c925186 2010.0/i586/automake1.4-1.4.0.p6-5.1mdv2010.0.noarch.rpm
297ea17132297e93e1dbb16ce625426e 2010.0/i586/automake1.7-1.7.9-9.1mdv2010.0.noarch.rpm
1261aaca3afee73e54b46986619629ce 2010.0/SRPMS/automake-1.11-2.1mdv2010.0.src.rpm
dab67287822c03d9f5c1b3258b9966e7 2010.0/SRPMS/automake1.4-1.4.0.p6-5.1mdv2010.0.src.rpm
b35957d919915af0d2217a20c17383e0 2010.0/SRPMS/automake1.7-1.7.9-9.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
2d01ac29e81cec495ebdb563aead0ac4 2010.0/x86_64/automake-1.11-2.1mdv2010.0.noarch.rpm
2770e86fc1ad236244086e85968bec29 2010.0/x86_64/automake1.4-1.4.0.p6-5.1mdv2010.0.noarch.rpm
1c7194f25b3eb9fc46e4b2305ccd7215 2010.0/x86_64/automake1.7-1.7.9-9.1mdv2010.0.noarch.rpm
1261aaca3afee73e54b46986619629ce 2010.0/SRPMS/automake-1.11-2.1mdv2010.0.src.rpm
dab67287822c03d9f5c1b3258b9966e7 2010.0/SRPMS/automake1.4-1.4.0.p6-5.1mdv2010.0.src.rpm
b35957d919915af0d2217a20c17383e0 2010.0/SRPMS/automake1.7-1.7.9-9.1mdv2010.0.src.rpm
Mandriva Linux 2010.1:
361775a94a47343a4dc628cd9a0783c4 2010.1/i586/automake1.4-1.4.0.p6-6.1mdv2010.1.noarch.rpm
17abbdd83bf3a08946746fa164783e74 2010.1/i586/automake1.7-1.7.9-10.1mdv2010.1.noarch.rpm
2336a0f58300455bebd0835b902a27e4 2010.1/SRPMS/automake1.4-1.4.0.p6-6.1mdv2010.1.src.rpm
febf744e0a82a47fc706c8d94b6910f1 2010.1/SRPMS/automake1.7-1.7.9-10.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
b471a0576ffe7c5c5ec783dacb9daf84 2010.1/x86_64/automake1.4-1.4.0.p6-6.1mdv2010.1.noarch.rpm
4c54e4fa19ab41fa81674f420da5af69 2010.1/x86_64/automake1.7-1.7.9-10.1mdv2010.1.noarch.rpm
2336a0f58300455bebd0835b902a27e4 2010.1/SRPMS/automake1.4-1.4.0.p6-6.1mdv2010.1.src.rpm
febf744e0a82a47fc706c8d94b6910f1 2010.1/SRPMS/automake1.7-1.7.9-10.1mdv2010.1.src.rpm
Corporate 4.0:
1b9b2b4cc374ad68c1211acf2e2e35af corporate/4.0/i586/automake1.4-1.4.0.p6-1.1.20060mlcs4.noarch.rpm
2ab36bd592dd6af25d5a7049922e06bd corporate/4.0/i586/automake1.7-1.7.9-2.1.20060mlcs4.noarch.rpm
de9f0932e60c09f5252181e2179e9dc8 corporate/4.0/i586/automake1.8-1.9.4-3.1.20060mlcs4.noarch.rpm
ffe7539a7dd4e1c5030b8914b784a92e corporate/4.0/SRPMS/automake1.4-1.4.0.p6-1.1.20060mlcs4.src.rpm
97db91a9a2a5d7c5b355ded1e915ba04 corporate/4.0/SRPMS/automake1.7-1.7.9-2.1.20060mlcs4.src.rpm
b225ff161b44f22253be0033f79d4ab3 corporate/4.0/SRPMS/automake1.8-1.9.4-3.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
dec0a40c05141421e73538cdffacd3ef corporate/4.0/x86_64/automake1.4-1.4.0.p6-1.1.20060mlcs4.noarch.rpm
a2afb0966934e7ad49dea501c75f2fa3 corporate/4.0/x86_64/automake1.7-1.7.9-2.1.20060mlcs4.noarch.rpm
9cf084221095d9fe8464b71e9e16306b corporate/4.0/x86_64/automake1.8-1.9.4-3.1.20060mlcs4.noarch.rpm
ffe7539a7dd4e1c5030b8914b784a92e corporate/4.0/SRPMS/automake1.4-1.4.0.p6-1.1.20060mlcs4.src.rpm
97db91a9a2a5d7c5b355ded1e915ba04 corporate/4.0/SRPMS/automake1.7-1.7.9-2.1.20060mlcs4.src.rpm
b225ff161b44f22253be0033f79d4ab3 corporate/4.0/SRPMS/automake1.8-1.9.4-3.1.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
2f8bedd06e7e330a52408567cbe07482 mes5/i586/automake-1.10.1-2.1mdvmes5.1.noarch.rpm
502622b8aff54b4b7a57381ea3164ac5 mes5/i586/automake1.4-1.4.0.p6-4.1mdvmes5.1.noarch.rpm
ee144b522221c29c8289258fe921b758 mes5/i586/automake1.7-1.7.9-7.1mdvmes5.1.noarch.rpm
cfc8fe684f7657e43f0213343605cc24 mes5/SRPMS/automake-1.10.1-2.1mdvmes5.1.src.rpm
24dab66fae4d20ee3e61b085a9a21384 mes5/SRPMS/automake1.4-1.4.0.p6-4.1mdvmes5.1.src.rpm
b6b86155ca3d270c5c45806f4b45d282 mes5/SRPMS/automake1.7-1.7.9-7.1mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
186358ad64acf12972b2f13c97ec2298 mes5/x86_64/automake-1.10.1-2.1mdvmes5.1.noarch.rpm
393dd66fdbba59d85237146c6c593f53 mes5/x86_64/automake1.4-1.4.0.p6-4.1mdvmes5.1.noarch.rpm
722d8809f32d9a038f55d4619502277f mes5/x86_64/automake1.7-1.7.9-7.1mdvmes5.1.noarch.rpm
cfc8fe684f7657e43f0213343605cc24 mes5/SRPMS/automake-1.10.1-2.1mdvmes5.1.src.rpm
24dab66fae4d20ee3e61b085a9a21384 mes5/SRPMS/automake1.4-1.4.0.p6-4.1mdvmes5.1.src.rpm
b6b86155ca3d270c5c45806f4b45d282 mes5/SRPMS/automake1.7-1.7.9-7.1mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMtf68mqjQ0CJFipgRAuD/AJ4kczw8DHZ/qYqSIEzOFBZ8d2s0XQCdEBtf
X3b5+C2azF+YazaE6POY6sE=
=TMoQ
-----END PGP SIGNATURE-----