-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:203 http://www.mandriva.com/security/ _______________________________________________________________________ Package : automake Date : October 13, 2010 Affected: 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in automake: The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete (CVE-2009-4029). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4029 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 0c9a86418e378031264bcbcbbe2b04b6 2009.0/i586/automake-1.10.1-2.1mdv2009.0.noarch.rpm 4fc2dfe601ee74ab1ef1e03e5e8a75ee 2009.0/i586/automake1.4-1.4.0.p6-4.1mdv2009.0.noarch.rpm 3d478e2d1726c94e8ae35bebf70eec05 2009.0/i586/automake1.7-1.7.9-7.1mdv2009.0.noarch.rpm a680fb0cfb28b358ae775387e68023a6 2009.0/SRPMS/automake-1.10.1-2.1mdv2009.0.src.rpm 559b15e18ab730bb8122d3713aaf65ff 2009.0/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.0.src.rpm fe3c9f108aa90ff63f332f3e2e3b7ddd 2009.0/SRPMS/automake1.7-1.7.9-7.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ba63c56fa57da75dabc19a0374d677f9 2009.0/x86_64/automake-1.10.1-2.1mdv2009.0.noarch.rpm 9a9e212a84c940d8259dfc6aea307f22 2009.0/x86_64/automake1.4-1.4.0.p6-4.1mdv2009.0.noarch.rpm fd0ade93924698734c41cd8f7e886c89 2009.0/x86_64/automake1.7-1.7.9-7.1mdv2009.0.noarch.rpm a680fb0cfb28b358ae775387e68023a6 2009.0/SRPMS/automake-1.10.1-2.1mdv2009.0.src.rpm 559b15e18ab730bb8122d3713aaf65ff 2009.0/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.0.src.rpm fe3c9f108aa90ff63f332f3e2e3b7ddd 2009.0/SRPMS/automake1.7-1.7.9-7.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 6209c11c3fbec0f282cb2b8a46018b40 2009.1/i586/automake-1.10.2-2.1mdv2009.1.noarch.rpm 8c008b002e2331fee7553bc9011e95da 2009.1/i586/automake1.4-1.4.0.p6-4.1mdv2009.1.noarch.rpm 6d8f3d4de2fa18b75b42d3550c3b05b1 2009.1/i586/automake1.7-1.7.9-8.1mdv2009.1.noarch.rpm fb8bc2660685f16592c6ff4e0e59971a 2009.1/SRPMS/automake-1.10.2-2.1mdv2009.1.src.rpm c0e18f0831a53982acfd6843f3666ae9 2009.1/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.1.src.rpm 79d9a5f762d0bba9c1ce3c0d3cdbd150 2009.1/SRPMS/automake1.7-1.7.9-8.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: f28db675bc5616a072cb8b09e6248575 2009.1/x86_64/automake-1.10.2-2.1mdv2009.1.noarch.rpm cdbf431adc21424d42c7cbf5b7c64d14 2009.1/x86_64/automake1.4-1.4.0.p6-4.1mdv2009.1.noarch.rpm e5a18890dc5aa550a996bfe4630dee31 2009.1/x86_64/automake1.7-1.7.9-8.1mdv2009.1.noarch.rpm fb8bc2660685f16592c6ff4e0e59971a 2009.1/SRPMS/automake-1.10.2-2.1mdv2009.1.src.rpm c0e18f0831a53982acfd6843f3666ae9 2009.1/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.1.src.rpm 79d9a5f762d0bba9c1ce3c0d3cdbd150 2009.1/SRPMS/automake1.7-1.7.9-8.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 51e91e71cc933f6c9cc35a0883034a45 2010.0/i586/automake-1.11-2.1mdv2010.0.noarch.rpm 4ffc72ee0e6a95eb1b3e23fe0c925186 2010.0/i586/automake1.4-1.4.0.p6-5.1mdv2010.0.noarch.rpm 297ea17132297e93e1dbb16ce625426e 2010.0/i586/automake1.7-1.7.9-9.1mdv2010.0.noarch.rpm 1261aaca3afee73e54b46986619629ce 2010.0/SRPMS/automake-1.11-2.1mdv2010.0.src.rpm dab67287822c03d9f5c1b3258b9966e7 2010.0/SRPMS/automake1.4-1.4.0.p6-5.1mdv2010.0.src.rpm b35957d919915af0d2217a20c17383e0 2010.0/SRPMS/automake1.7-1.7.9-9.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 2d01ac29e81cec495ebdb563aead0ac4 2010.0/x86_64/automake-1.11-2.1mdv2010.0.noarch.rpm 2770e86fc1ad236244086e85968bec29 2010.0/x86_64/automake1.4-1.4.0.p6-5.1mdv2010.0.noarch.rpm 1c7194f25b3eb9fc46e4b2305ccd7215 2010.0/x86_64/automake1.7-1.7.9-9.1mdv2010.0.noarch.rpm 1261aaca3afee73e54b46986619629ce 2010.0/SRPMS/automake-1.11-2.1mdv2010.0.src.rpm dab67287822c03d9f5c1b3258b9966e7 2010.0/SRPMS/automake1.4-1.4.0.p6-5.1mdv2010.0.src.rpm b35957d919915af0d2217a20c17383e0 2010.0/SRPMS/automake1.7-1.7.9-9.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 361775a94a47343a4dc628cd9a0783c4 2010.1/i586/automake1.4-1.4.0.p6-6.1mdv2010.1.noarch.rpm 17abbdd83bf3a08946746fa164783e74 2010.1/i586/automake1.7-1.7.9-10.1mdv2010.1.noarch.rpm 2336a0f58300455bebd0835b902a27e4 2010.1/SRPMS/automake1.4-1.4.0.p6-6.1mdv2010.1.src.rpm febf744e0a82a47fc706c8d94b6910f1 2010.1/SRPMS/automake1.7-1.7.9-10.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: b471a0576ffe7c5c5ec783dacb9daf84 2010.1/x86_64/automake1.4-1.4.0.p6-6.1mdv2010.1.noarch.rpm 4c54e4fa19ab41fa81674f420da5af69 2010.1/x86_64/automake1.7-1.7.9-10.1mdv2010.1.noarch.rpm 2336a0f58300455bebd0835b902a27e4 2010.1/SRPMS/automake1.4-1.4.0.p6-6.1mdv2010.1.src.rpm febf744e0a82a47fc706c8d94b6910f1 2010.1/SRPMS/automake1.7-1.7.9-10.1mdv2010.1.src.rpm Corporate 4.0: 1b9b2b4cc374ad68c1211acf2e2e35af corporate/4.0/i586/automake1.4-1.4.0.p6-1.1.20060mlcs4.noarch.rpm 2ab36bd592dd6af25d5a7049922e06bd corporate/4.0/i586/automake1.7-1.7.9-2.1.20060mlcs4.noarch.rpm de9f0932e60c09f5252181e2179e9dc8 corporate/4.0/i586/automake1.8-1.9.4-3.1.20060mlcs4.noarch.rpm ffe7539a7dd4e1c5030b8914b784a92e corporate/4.0/SRPMS/automake1.4-1.4.0.p6-1.1.20060mlcs4.src.rpm 97db91a9a2a5d7c5b355ded1e915ba04 corporate/4.0/SRPMS/automake1.7-1.7.9-2.1.20060mlcs4.src.rpm b225ff161b44f22253be0033f79d4ab3 corporate/4.0/SRPMS/automake1.8-1.9.4-3.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: dec0a40c05141421e73538cdffacd3ef corporate/4.0/x86_64/automake1.4-1.4.0.p6-1.1.20060mlcs4.noarch.rpm a2afb0966934e7ad49dea501c75f2fa3 corporate/4.0/x86_64/automake1.7-1.7.9-2.1.20060mlcs4.noarch.rpm 9cf084221095d9fe8464b71e9e16306b corporate/4.0/x86_64/automake1.8-1.9.4-3.1.20060mlcs4.noarch.rpm ffe7539a7dd4e1c5030b8914b784a92e corporate/4.0/SRPMS/automake1.4-1.4.0.p6-1.1.20060mlcs4.src.rpm 97db91a9a2a5d7c5b355ded1e915ba04 corporate/4.0/SRPMS/automake1.7-1.7.9-2.1.20060mlcs4.src.rpm b225ff161b44f22253be0033f79d4ab3 corporate/4.0/SRPMS/automake1.8-1.9.4-3.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 2f8bedd06e7e330a52408567cbe07482 mes5/i586/automake-1.10.1-2.1mdvmes5.1.noarch.rpm 502622b8aff54b4b7a57381ea3164ac5 mes5/i586/automake1.4-1.4.0.p6-4.1mdvmes5.1.noarch.rpm ee144b522221c29c8289258fe921b758 mes5/i586/automake1.7-1.7.9-7.1mdvmes5.1.noarch.rpm cfc8fe684f7657e43f0213343605cc24 mes5/SRPMS/automake-1.10.1-2.1mdvmes5.1.src.rpm 24dab66fae4d20ee3e61b085a9a21384 mes5/SRPMS/automake1.4-1.4.0.p6-4.1mdvmes5.1.src.rpm b6b86155ca3d270c5c45806f4b45d282 mes5/SRPMS/automake1.7-1.7.9-7.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: 186358ad64acf12972b2f13c97ec2298 mes5/x86_64/automake-1.10.1-2.1mdvmes5.1.noarch.rpm 393dd66fdbba59d85237146c6c593f53 mes5/x86_64/automake1.4-1.4.0.p6-4.1mdvmes5.1.noarch.rpm 722d8809f32d9a038f55d4619502277f mes5/x86_64/automake1.7-1.7.9-7.1mdvmes5.1.noarch.rpm cfc8fe684f7657e43f0213343605cc24 mes5/SRPMS/automake-1.10.1-2.1mdvmes5.1.src.rpm 24dab66fae4d20ee3e61b085a9a21384 mes5/SRPMS/automake1.4-1.4.0.p6-4.1mdvmes5.1.src.rpm b6b86155ca3d270c5c45806f4b45d282 mes5/SRPMS/automake1.7-1.7.9-7.1mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMtf68mqjQ0CJFipgRAuD/AJ4kczw8DHZ/qYqSIEzOFBZ8d2s0XQCdEBtf X3b5+C2azF+YazaE6POY6sE= =TMoQ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/