Diffstat (limited to 'main/automake/CVE-2012-3386.patch')
1 files changed, 73 insertions, 0 deletions
diff --git a/main/automake/CVE-2012-3386.patch b/main/automake/CVE-2012-3386.patch
new file mode 100644
@@ -0,0 +1,73 @@
+>From bab7065f75bb9680df8c782da06a8312e5fa95a6 Mon Sep 17 00:00:00 2001
+From: Stefano Lattarini <address@hidden>
+Date: Fri, 6 Jul 2012 22:43:04 +0200
+Subject: [PATCH] distcheck: never make part of $(distdir) world-writable
+This fixes a locally-exploitable security vulnerability (CVE-2012-3386).
+In the 'distcheck' rule, we used to make the just-extracted (from
+the distribution tarball) $(distdir) directory and all its files and
+subdirectories read-only; then, in order to create the '_inst' and
+'_build' subdirectories in there (used by the rest of the recipe) we
+made the top-level $(distdir) *world-writable* for an instant (the
+time to create those two directories) before making it read-only
+Making that directory world-writable (albeit only briefly) introduced a
+locally exploitable race condition for those who run "make distcheck" with
+a non-restrictive umask (e.g., 022) in a directory that is accessible by
+others. A successful exploit would result in arbitrary code execution
+with the privileges of the user running "make distcheck" -- game over.
+Jim Meyering wrote a proof-of-concept script showing that such exploit is
+This issue is similar to the CVE-2009-4029 vulnerability:
+* lib/am/distdir.am (distcheck): Don't make $(distdir) world-writable,
+not even for an instant; make it user-writable instead, which is enough.
+Helped-By: Jim Meyering <address@hidden>
+Signed-off-by: Stefano Lattarini <address@hidden>
+ NEWS | 9 +++++++++
+ lib/am/distdir.am | 2 +-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/NEWS b/NEWS
+index ee16961..4975e8e 100644
+@@ -92,6 +92,15 @@ New in 1.12.2:
+ Bugs fixed in 1.12.2:
++* SECURITY VULNERABILITIES!
++ - The recipe of the 'distcheck' no longer grants anymore temporary
++ world-wide write permissions on the extracted distdir. Even if such
++ rights were only granted for a vanishingly small time window, the
++ implied race condition proved to be enough to allow a local attacker
++ to run arbitrary code with the privileges of the user running "make
++ distcheck". This is CVE-2012-3386.
+ * Long-standing bugs:
+ - The "recheck" targets behaves better in the face of build failures
+diff --git a/lib/am/distdir.am b/lib/am/distdir.am
+index e27b650..f636a1e 100644
+@@ -449,7 +449,7 @@ distcheck: dist
+ ## Make the new source tree read-only. Distributions ought to work in
+ ## this case. However, make the top-level directory writable so we
+ ## can make our new subdirs.
+- chmod -R a-w $(distdir); chmod a+w $(distdir)
++ chmod -R a-w $(distdir); chmod u+w $(distdir)
+ mkdir $(distdir)/_build
+ mkdir $(distdir)/_inst
+ ## Undo the write access.