FreeBSD : automake -- Insecure 'distcheck' recipe granted world-writable distdir (10f38033-e006-11e1-9304-000000000000)

This script is (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

GNU reports :

The recipe of the 'distcheck' target granted temporary world-write
permissions on the extracted distdir. This introduced a locally
exploitable race condition for those who run 'make distcheck' with a
non-restrictive umask (e.g., 022) in a directory that was accessible
by others. A successful exploit would result in arbitrary code
execution with the privileges of the user running 'make distcheck'.

It is important to stress that this vulnerability impacts not only the
Automake package itself, but all packages with Automake-generated
makefiles. For an effective fix it is necessary to regenerate the
Makefile.in files with a fixed Automake version.

See also :

https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
http://www.nessus.org/u?44656775

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 61444 ()

Bugtraq ID:

CVE ID: CVE-2012-3386

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now