7182673 Problem with utility/automake
authorRich Burridge <rich.burridge@oracle.com>
Tue, 10 Jul 2012 06:17:26 -0700
changeset 911 eec41ee6c6ad
parent 910 9f3b963d8baa
child 912 d98bdeebbbb3
7182673 Problem with utility/automake
components/automake/automake-1.10/patches/01-CVE-2012-3386.patch
components/automake/automake-1.11.2/patches/CVE-2012-3386.patch
components/automake/automake-1.9.6/patches/01-CVE-2012-3386.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/automake/automake-1.10/patches/01-CVE-2012-3386.patch	Tue Jul 10 06:17:26 2012 -0700
@@ -0,0 +1,29 @@
+--- automake-1.10/NEWS.orig	2012-07-10 06:06:11.262965208 -0700
++++ automake-1.10/NEWS	2012-07-10 06:06:49.380882833 -0700
[email protected]@ -128,6 +128,15 @@
+     flavors, including optional formats such as dvi, ps, or info even
+     when `no-installinfo' is used.)
+ 
++* SECURITY VULNERABILITIES!
++
++  - The recipe of the 'distcheck' no longer grants anymore temporary
++    world-wide write permissions on the extracted distdir.  Even if such
++    rights were only granted for a vanishingly small time window, the
++    implied race condition proved to be enough to allow a local attacker
++    to run arbitrary code with the privileges of the user running "make
++    distcheck".  This is CVE-2012-3386.
++
+ * Miscellaneous changes:
+ 
+   - Automake no longer complains if input files for AC_CONFIG_FILES
+--- automake-1.10/lib/am/distdir.am.orig	2012-07-10 06:08:03.395311756 -0700
++++ automake-1.10/lib/am/distdir.am	2012-07-10 06:08:34.847417147 -0700
[email protected]@ -327,7 +327,7 @@
+ ## Make the new source tree read-only.  Distributions ought to work in
+ ## this case.  However, make the top-level directory writable so we
+ ## can make our new subdirs.
+-	chmod -R a-w $(distdir); chmod a+w $(distdir)
++	chmod -R a-w $(distdir); chmod u+w $(distdir)
+ 	mkdir $(distdir)/_build
+ 	mkdir $(distdir)/_inst
+ ## Undo the write access.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/automake/automake-1.11.2/patches/CVE-2012-3386.patch	Tue Jul 10 06:17:26 2012 -0700
@@ -0,0 +1,29 @@
+--- automake-1.11.2/NEWS.orig	2012-07-10 05:55:08.774803866 -0700
++++ automake-1.11.2/NEWS	2012-07-10 05:55:40.618794747 -0700
[email protected]@ -90,6 +90,15 @@
+   - The AM_COND_IF macro also works if the shell expression for the
+     conditional is no longer valid for the condition.
+ 
++* SECURITY VULNERABILITIES!
++
++  - The recipe of the 'distcheck' no longer grants anymore temporary
++    world-wide write permissions on the extracted distdir.  Even if such
++    rights were only granted for a vanishingly small time window, the
++    implied race condition proved to be enough to allow a local attacker
++    to run arbitrary code with the privileges of the user running "make
++    distcheck".  This is CVE-2012-3386.
++
+ * Long-standing bugs:
+ 
+   - The order of Yacc and Lex flags is fixed to be consistent with other
+--- automake-1.11.2/lib/am/distdir.am.orig	2012-07-10 05:57:02.481964158 -0700
++++ automake-1.11.2/lib/am/distdir.am	2012-07-10 05:57:54.509361759 -0700
[email protected]@ -441,7 +441,7 @@
+ ## Make the new source tree read-only.  Distributions ought to work in
+ ## this case.  However, make the top-level directory writable so we
+ ## can make our new subdirs.
+-	chmod -R a-w $(distdir); chmod a+w $(distdir)
++	chmod -R a-w $(distdir); chmod u+w $(distdir)
+ 	mkdir $(distdir)/_build
+ 	mkdir $(distdir)/_inst
+ ## Undo the write access.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/automake/automake-1.9.6/patches/01-CVE-2012-3386.patch	Tue Jul 10 06:17:26 2012 -0700
@@ -0,0 +1,28 @@
+--- automake-1.9.6/NEWS.orig	2012-07-10 06:12:38.489800299 -0700
++++ automake-1.9.6/NEWS	2012-07-10 06:14:03.125841286 -0700
[email protected]@ -1,5 +1,14 @@
+ Bugs fixed in 1.9.6:
+ 
++* SECURITY VULNERABILITIES!
++
++  - The recipe of the 'distcheck' no longer grants anymore temporary
++    world-wide write permissions on the extracted distdir.  Even if such
++    rights were only granted for a vanishingly small time window, the
++    implied race condition proved to be enough to allow a local attacker
++    to run arbitrary code with the privileges of the user running "make
++    distcheck".  This is CVE-2012-3386.
++
+ * Longstanding bugs:
+ 
+   - Correctly diagnose `#' comments following trailing backslash.
+--- automake-1.9.6/lib/am/distdir.am.orig	2012-07-10 06:14:39.013442021 -0700
++++ automake-1.9.6/lib/am/distdir.am	2012-07-10 06:14:55.178227715 -0700
[email protected]@ -323,7 +323,7 @@
+ ## Make the new source tree read-only.  Distributions ought to work in
+ ## this case.  However, make the top-level directory writable so we
+ ## can make our new subdirs.
+-	chmod -R a-w $(distdir); chmod a+w $(distdir)
++	chmod -R a-w $(distdir); chmod u+w $(distdir)
+ 	mkdir $(distdir)/_build
+ 	mkdir $(distdir)/_inst
+ ## Undo the write access.