From owner-svn-ports-all@FreeBSD.ORG Mon Aug 6 22:44:14 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACBE11065782; Mon, 6 Aug 2012 22:44:14 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 7DFEB8FC0C; Mon, 6 Aug 2012 22:44:14 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q76MiEkt091177; Mon, 6 Aug 2012 22:44:14 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q76MiEPc091173; Mon, 6 Aug 2012 22:44:14 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201208062244.q76MiEPc091173@svn.freebsd.org> From: Bryan Drewery Date: Mon, 6 Aug 2012 22:44:14 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r302216 - head/security/vuxml X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 22:44:14 -0000 Author: bdrewery Date: Mon Aug 6 22:44:13 2012 New Revision: 302216 URL: http://svn.freebsd.org/changeset/ports/302216 Log: Document CVE-2012-3386 for devel/automake Approved by: eadler (mentor) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Aug 6 21:47:23 2012 (r302215) +++ head/security/vuxml/vuln.xml Mon Aug 6 22:44:13 2012 (r302216) @@ -52,6 +52,41 @@ Note: Please add new entries to the beg --> + + automake -- Insecure 'distcheck' recipe granted world-writable distdir + + + automake + 1.12.2 + + + + +

GNU reports:

+
+

The recipe of the 'distcheck' target granted temporary +world-write permissions on the extracted distdir. This introduced +a locally exploitable race condition for those who run "make distcheck" +with a non-restrictive umask (e.g., 022) in a directory that was +accessible by others. A successful exploit would result in arbitrary +code execution with the privileges of the user running "make distcheck".

+

It is important to stress that this vulnerability impacts not only +the Automake package itself, but all packages with Automake-generated +makefiles. For an effective fix it is necessary to regenerate the +Makefile.in files with a fixed Automake version.

+
+ + + + CVE-2012-3386 + https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html + + + 2012-07-09 + 2012-08-06 + + + mozilla -- multiple vulnerabilities