Open MPI logo

Open MPI Development Mailing List Archives

  |   Home   |   Support   |   FAQ   |   all Development mailing list

Subject: [OMPI devel] Fwd: CVE-2012-3386 Automake security fix for 'make distcheck'
From: Jeff Squyres (jsquyres_at_[hidden])
Date: 2012-07-09 15:11:21


We had just recently bumped up the Autotools triple used to create the trunk and v1.7 tarballs to include Automake 1.12.1. Due to the notice below, I have bumped it up to 1.12.2. Nightly tarballs starting tonight will use this new version.

I have also patched the Automake that is being used to generate the v1.6 tarballs (1.11.3) per the notice below. Nightly tarballs starting tonight will use this patched version.

Since we are no longer generating tarballs for versions older than v1.6, I do not intend to patch any further versions of Automake, nor generate any new versions of older OMPI tarballs.

Begin forwarded message:

> From: Stefano Lattarini <stefano.lattarini_at_[hidden]>
> Subject: CVE-2012-3386 Automake security fix for 'make distcheck'
> Date: July 9, 2012 12:26:01 PM EDT
> To: Automake List <automake_at_[hidden]>
> Cc: <info-gnu_at_[hidden]>, <autotools-announce_at_[hidden]>
>
> GNU Automake 1.12.2 as well as 1.11.6 fix a locally-exploitable
> security-related race condition that affects "make distcheck" for
> all packages that use Automake.
>
> Before the fix, the recipe of the 'distcheck' target granted temporary
> world-write permissions on the extracted distdir. This introduced
> a locally exploitable race condition for those who run "make distcheck"
> with a non-restrictive umask (e.g., 022) in a directory that was
> accessible by others. A successful exploit would result in arbitrary
> code execution with the privileges of the user running "make distcheck".
>
> It is important to stress that this vulnerability impacts not only
> the Automake package itself, but all packages with Automake-generated
> makefiles. For an effective fix it is necessary to regenerate the
> Makefile.in files with a fixed Automake version.
>
> For release series older than 1.11.x, no fix has been been applied to
> the the git repository, and no official new release is planned that
> fixes the vulnerability. Users interested in having such a fix in
> older releases will have to apply it manually (the attached patch is
> what we used on the 1.11.6 and 1.12.2 release).
>
> The issue was found and fixed by Stefano Lattarini. Jim Meyering
> wrote a proof-of-concept script showing that the vulnerability is
> easy to exploit.
>


>

-- 
Jeff Squyres
jsquyres_at_[hidden]
For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/