ID CVE-2009-4029
Summary The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
References
Vulnerable Configurations
  • GNU Automake 1.10.3
    cpe:2.3:a:gnu:automake:1.10.3
  • GNU Automake 1.11.1
    cpe:2.3:a:gnu:automake:1.11.1
  • cpe:2.3:a:gnu:automake:branch:1-9
    cpe:2.3:a:gnu:automake:branch:1-9
CVSS
Base: 4.4 (as of 21-12-2009 - 10:43)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100330_AUTOMAKE_ON_SL5_X.NASL
    description Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-4029) Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60761
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60761
    title Scientific Linux Security Update : automake on SL5.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1718.NASL
    description - Tue Feb 9 2010 Karsten Hopp 1.4p6-20 - add fix for CVE-2009-4029 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47265
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47265
    title Fedora 12 : automake14-1.4p6-20.fc12 (2010-1718)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-3520.NASL
    description - Tue Feb 16 2010 Karsten Hopp 1.6.3-18.1 - fix CVE-2009-4029 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47315
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47315
    title Fedora 12 : automake16-1.6.3-18.fc12.1 (2010-3520)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-13157.NASL
    description - Wed Dec 9 2009 Karsten Hopp 1.11.1-1 - update to version 1.11.1 to fix CVE-2009-4029 - Tue Dec 1 2009 Karsten Hopp 1.11-6 - preserve time stamps of man pages (#225302) - drop MIT from list of licenses - Wed Nov 4 2009 Stepan Kasal - 1.11-5 - add even more testsuite build requires - Wed Nov 4 2009 Stepan Kasal - 1.11-4 - add build requires for testsuite Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 44879
    published 2010-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44879
    title Fedora 12 : automake-1.11.1-1.fc12 (2009-13157)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-3573.NASL
    description - Tue Feb 16 2010 Karsten Hopp 1.7.9-13.1 - fix CVE-2009-4029 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47319
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47319
    title Fedora 12 : automake17-1.7.9-13.fc12.1 (2010-3573)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-203.NASL
    description A vulnerability was discovered and corrected in automake : The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete (CVE-2009-4029). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 49973
    published 2010-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49973
    title Mandriva Linux Security Advisory : automake (MDVSA-2010:203)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201310-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201310-15 (GNU Automake: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GNU Automake. Please review the CVE identifiers referenced below for details. Impact : A local attacker could execute arbitrary commands with the privileges of the user running an Automake-based build. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 70650
    published 2013-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70650
    title GLSA-201310-15 : GNU Automake: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-3591.NASL
    description - Tue Feb 9 2010 Karsten Hopp 1.4p6-20 - add fix for CVE-2009-4029 - Fri Jul 24 2009 Fedora Release Engineering - 1.4p6-19 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47321
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47321
    title Fedora 11 : automake14-1.4p6-20.fc11 (2010-3591)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_AUTOMAKE-130812.NASL
    description This update of automake fixes a race condition in 'distcheck'. (CVE-2012-3386) Also a bug where world writeable tarballs were generated during 'make dist' has been fixed. (CVE-2009-4029)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 69345
    published 2013-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69345
    title SuSE 11.2 / 11.3 Security Update : automake (SAT Patch Numbers 8196 / 8197)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-3563.NASL
    description - Tue Feb 16 2010 Karsten Hopp 1.5-29.1 - update CVE-2009-4029 patch - Tue Feb 9 2010 Karsten Hopp 1.5-29 - add disttag - Tue Feb 9 2010 Karsten Hopp 1.5-28 - add fix for CVE-2009-4029 - add buildrequirement flex Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47317
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47317
    title Fedora 12 : automake15-1.5-29.fc12.1 (2010-3563)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1148.NASL
    description - Tue Feb 16 2010 Karsten Hopp 1.6.3-18.1 - fix CVE-2009-4029 - Fri Jul 31 2009 Karsten Hopp 1.6.3-18 - rebuild - Thu Jul 30 2009 Karsten Hopp 1.6.3-17 - fix build problem - Fri Jul 24 2009 Fedora Release Engineering - 1.6.3-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47235
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47235
    title Fedora 11 : automake16-1.6.3-18.fc11.1 (2010-1148)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-3569.NASL
    description - Tue Feb 16 2010 Karsten Hopp 1.7.9-13.1 - fix CVE-2009-4029 - Fri Jul 24 2009 Fedora Release Engineering - 1.7.9-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47318
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47318
    title Fedora 11 : automake17-1.7.9-13.fc11.1 (2010-3569)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1174.NASL
    description - Tue Feb 16 2010 Karsten Hopp 1.5-29.1 - update CVE-2009-4029 patch - Tue Feb 9 2010 Karsten Hopp 1.5-29 - add disttag - Tue Feb 9 2010 Karsten Hopp 1.5-28 - add fix for CVE-2009-4029 - add buildrequirement flex - Fri Jul 24 2009 Fedora Release Engineering - 1.5-27 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 47238
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47238
    title Fedora 11 : automake15-1.5-29.fc11.1 (2010-1174)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0321.NASL
    description Updated automake, automake14, automake15, automake16, and automake17 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards. Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-4029) Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code. All users of automake, automake14, automake15, automake16, and automake17 should upgrade to these updated packages, which resolve this issue.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 46289
    published 2010-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46289
    title RHEL 5 : automake (RHSA-2010:0321)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1216.NASL
    description Fixes CVE-2009-4029 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47240
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47240
    title Fedora 11 : automake-1.11.1-1.fc11.1 (2010-1216)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010) Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. Insight Perl Tk Module Source-Navigator Tk Partimage Mlmmj acl Xinit gzip ncompress liblzw splashutils GNU M4 KDE Display Manager GTK+ KGet dvipng Beanstalk Policy Mount pam_krb5 GNU gv LFTP Uzbl Slim Bitdefender Console iputils DVBStreamer Impact : A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround : There are no known workarounds at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79961
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79961
    title GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010
oval via4
accepted 2013-04-29T04:15:28.467-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
family unix
id oval:org.mitre.oval:def:11717
status accepted
submitted 2010-07-09T03:56:16-04:00
title The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
version 19
redhat via4
advisories
bugzilla
id 542609
title based directory hierarchy
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • OR
    • AND
      • comment automake14 is earlier than 0:1.4p6-13.el5.1
        oval oval:com.redhat.rhsa:tst:20100321002
      • comment automake14 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321003
    • AND
      • comment automake15 is earlier than 0:1.5-16.el5.2
        oval oval:com.redhat.rhsa:tst:20100321004
      • comment automake15 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321005
    • AND
      • comment automake16 is earlier than 0:1.6.3-8.el5.1
        oval oval:com.redhat.rhsa:tst:20100321006
      • comment automake16 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321007
    • AND
      • comment automake17 is earlier than 0:1.7.9-7.el5.2
        oval oval:com.redhat.rhsa:tst:20100321008
      • comment automake17 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321009
    • AND
      • comment automake is earlier than 0:1.9.6-2.3.el5
        oval oval:com.redhat.rhsa:tst:20100321010
      • comment automake is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321011
rhsa
id RHSA-2010:0321
released 2010-03-30
severity Low
title RHSA-2010:0321: automake security update (Low)
rpms
  • automake14-0:1.4p6-13.el5.1
  • automake15-0:1.5-16.el5.2
  • automake16-0:1.6.3-8.el5.1
  • automake17-0:1.7.9-7.el5.2
  • automake-0:1.9.6-2.3.el5
refmap via4
bugtraq 20101027 rPSA-2010-0071-1 automake
confirm
mandriva MDVSA-2010:203
mlist
  • [automake-patches] 20091128 [PATCH] do not put world-writable directories in distribution tarballs
  • [automake] 20091208 CVE-2009-4029 Automake security fix for 'make dist*'
  • [automake] 20091208 GNU Automake 1.10.3 released
  • [automake] 20091208 GNU Automake 1.11.1 released
  • [automake] 20091208 Re: CVE-2009-4029 Automake security fix for 'make dist*'
sunalert 1021784
vupen ADV-2009-3579
statements via4
contributor Mark Cox
lastmodified 2010-03-31
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4029 This issue was addressed in the automake, automake14, automake15, automake16 and automake17 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0321.html The Red Hat Security Response Team has rated this issue as having low security impact, theres no plan to address this flaw in automake packages in Red Hat Enterprise Linux 3 and 4.
Last major update 08-08-2012 - 00:00
Published 19-12-2009 - 21:30
Last modified 10-10-2018 - 15:48
Back to Top