CVE-2009-4029 - The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4

CVE-2009-4029

Summary

The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.

References

Vulnerable Configurations

cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:branch:1-9:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:branch:1-9:*:*:*:*:*:*

CVSS

Base:	4.4 (as of 10-10-2018 - 19:48)
Impact:
Exploitability:

CWE

CWE-362

CAPEC

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:M/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:15:28.467-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:11717

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	542609
title	based directory hierarchy

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment automake14 is earlier than 0:1.4p6-13.el5.1
oval oval:com.redhat.rhsa:tst:20100321001
comment automake14 is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20100321002
AND
comment automake15 is earlier than 0:1.5-16.el5.2
oval oval:com.redhat.rhsa:tst:20100321003
comment automake15 is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20100321004
AND
comment automake16 is earlier than 0:1.6.3-8.el5.1
oval oval:com.redhat.rhsa:tst:20100321005
comment automake16 is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20100321006
AND
comment automake17 is earlier than 0:1.7.9-7.el5.2
oval oval:com.redhat.rhsa:tst:20100321007
comment automake17 is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20100321008
AND
comment automake is earlier than 0:1.9.6-2.3.el5
oval oval:com.redhat.rhsa:tst:20100321009
comment automake is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20100321010

rhsa

id	RHSA-2010:0321
released	2010-03-29
severity	Low
title	RHSA-2010:0321: automake security update (Low)

rpms

automake-0:1.9.6-2.3.el5
automake14-0:1.4p6-13.el5.1
automake15-0:1.5-16.el5.2
automake16-0:1.6.3-8.el5.1
automake17-0:1.7.9-7.el5.2

refmap via4

bugtraq	20101027 rPSA-2010-0071-1 automake
confirm	http://savannah.gnu.org/forum/forum.php?forum_id=6077 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0071
mandriva	MDVSA-2010:203
mlist	[automake-patches] 20091128 [PATCH] do not put world-writable directories in distribution tarballs [automake] 20091208 CVE-2009-4029 Automake security fix for 'make dist' [automake] 20091208 GNU Automake 1.10.3 released [automake] 20091208 GNU Automake 1.11.1 released [automake] 20091208 Re: CVE-2009-4029 Automake security fix for 'make dist'
sunalert	1021784
vupen	ADV-2009-3579

statements via4

contributor	Mark Cox
lastmodified	2010-03-31
organization	Red Hat
statement	Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4029 This issue was addressed in the automake, automake14, automake15, automake16 and automake17 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0321.html The Red Hat Security Response Team has rated this issue as having low security impact, theres no plan to address this flaw in automake packages in Red Hat Enterprise Linux 3 and 4.

Last major update

10-10-2018 - 19:48

Published

20-12-2009 - 02:30

Last modified

10-10-2018 - 19:48