FreeBSD : automake -- Insecure 'distcheck' recipe granted world-writable distdir (36235c38-e0a8-11e1-9f4d-002354ed89bc)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

GNU reports :

The recipe of the 'distcheck' target granted temporary world-write
permissions on the extracted distdir. This introduced a locally
exploitable race condition for those who run 'make distcheck' with a
non-restrictive umask (e.g., 022) in a directory that was accessible
by others. A successful exploit would result in arbitrary code
execution with the privileges of the user running 'make distcheck'.

It is important to stress that this vulnerability impacts not only the
Automake package itself, but all packages with Automake-generated
makefiles. For an effective fix it is necessary to regenerate the
Makefile.in files with a fixed Automake version.

See also :

https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
http://www.nessus.org/u?fb5e8cd1

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.4
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 61451 ()

Bugtraq ID:

CVE ID: CVE-2012-3386

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now