ID CVE-2009-4029
Summary The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
References
Vulnerable Configurations
  • cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:automake:branch:1-9:*:*:*:*:*:*
    cpe:2.3:a:gnu:automake:branch:1-9:*:*:*:*:*:*
CVSS
Base: 4.4 (as of 10-10-2018 - 19:48)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:M/Au:N/C:P/I:P/A:P
oval via4
accepted 2013-04-29T04:15:28.467-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
family unix
id oval:org.mitre.oval:def:11717
status accepted
submitted 2010-07-09T03:56:16-04:00
title The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
version 19
redhat via4
advisories
bugzilla
id 542609
title based directory hierarchy
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment automake14 is earlier than 0:1.4p6-13.el5.1
        oval oval:com.redhat.rhsa:tst:20100321002
      • comment automake14 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321003
    • AND
      • comment automake15 is earlier than 0:1.5-16.el5.2
        oval oval:com.redhat.rhsa:tst:20100321004
      • comment automake15 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321005
    • AND
      • comment automake16 is earlier than 0:1.6.3-8.el5.1
        oval oval:com.redhat.rhsa:tst:20100321006
      • comment automake16 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321007
    • AND
      • comment automake17 is earlier than 0:1.7.9-7.el5.2
        oval oval:com.redhat.rhsa:tst:20100321008
      • comment automake17 is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321009
    • AND
      • comment automake is earlier than 0:1.9.6-2.3.el5
        oval oval:com.redhat.rhsa:tst:20100321010
      • comment automake is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20100321011
rhsa
id RHSA-2010:0321
released 2010-03-30
severity Low
title RHSA-2010:0321: automake security update (Low)
rpms
  • automake14-0:1.4p6-13.el5.1
  • automake15-0:1.5-16.el5.2
  • automake16-0:1.6.3-8.el5.1
  • automake17-0:1.7.9-7.el5.2
  • automake-0:1.9.6-2.3.el5
refmap via4
bugtraq 20101027 rPSA-2010-0071-1 automake
confirm
mandriva MDVSA-2010:203
mlist
  • [automake-patches] 20091128 [PATCH] do not put world-writable directories in distribution tarballs
  • [automake] 20091208 CVE-2009-4029 Automake security fix for 'make dist*'
  • [automake] 20091208 GNU Automake 1.10.3 released
  • [automake] 20091208 GNU Automake 1.11.1 released
  • [automake] 20091208 Re: CVE-2009-4029 Automake security fix for 'make dist*'
sunalert 1021784
vupen ADV-2009-3579
statements via4
contributor Mark Cox
lastmodified 2010-03-31
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4029 This issue was addressed in the automake, automake14, automake15, automake16 and automake17 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0321.html The Red Hat Security Response Team has rated this issue as having low security impact, theres no plan to address this flaw in automake packages in Red Hat Enterprise Linux 3 and 4.
Last major update 10-10-2018 - 19:48
Published 20-12-2009 - 02:30
Back to Top