Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/automake/automake-1.9.6/patches/01-CVE-2012-3386.patch
author Rich Burridge <rich.burridge@oracle.com>
Tue, 10 Jul 2012 06:17:26 -0700
changeset 911 eec41ee6c6ad
permissions -rw-r--r--
7182673 Problem with utility/automake

--- automake-1.9.6/NEWS.orig	2012-07-10 06:12:38.489800299 -0700
+++ automake-1.9.6/NEWS	2012-07-10 06:14:03.125841286 -0700
@@ -1,5 +1,14 @@
 Bugs fixed in 1.9.6:
 
+* SECURITY VULNERABILITIES!
+
+  - The recipe of the 'distcheck' no longer grants anymore temporary
+    world-wide write permissions on the extracted distdir.  Even if such
+    rights were only granted for a vanishingly small time window, the
+    implied race condition proved to be enough to allow a local attacker
+    to run arbitrary code with the privileges of the user running "make
+    distcheck".  This is CVE-2012-3386.
+
 * Longstanding bugs:
 
   - Correctly diagnose `#' comments following trailing backslash.
--- automake-1.9.6/lib/am/distdir.am.orig	2012-07-10 06:14:39.013442021 -0700
+++ automake-1.9.6/lib/am/distdir.am	2012-07-10 06:14:55.178227715 -0700
@@ -323,7 +323,7 @@
 ## Make the new source tree read-only.  Distributions ought to work in
 ## this case.  However, make the top-level directory writable so we
 ## can make our new subdirs.
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	chmod -R a-w $(distdir); chmod u+w $(distdir)
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 ## Undo the write access.
upstream/oracle/userland-gate