"make distcheck" is exploitable: get a fixed automake
Jim Meyering
jim at meyering.net
Fri Jul 13 13:34:53 UTC 2012
If you run "make distcheck" (the rule generated by automake),
be sure that it is safe. Until a few days ago, running that
rule in a directory readable by others would put you at risk
from a local attacker. It can be exploited reliably.
It's fixed in the latest, automake-12.2
http://bugzilla.redhat.com/CVE-2012-3386
http://savannah.gnu.org/forum/forum.php?forum_id=7294
One work-around is to ensure that your build directory
is not readable by the potential attacker. A more general
(but more onerous) approach is to use a restrictive umask,
e.g. by adding "umask 077" to some shell start-up file.
But don't do that lightly, since there are still plenty of
tools that are unprepared for that. Personally, I've had
a umask of 077 for the last few years because I'm rather
paranoid, but it has also caused trouble, and I've had to
learn when to invoke tools in a subshell like this
(umask 022; run some tool)
especially as root.
To see if you have a vulnerable Makefile.in file, run this:
find . -name Makefile.in|xargs grep chmod.a+w
it usually finds problems in the top-level Makefile.in.
If you see any matching line, say like this,
./Makefile.in: chmod -R a-w $(distdir); chmod a+w $(distdir)
then that rule is vulnerable: install a patched automake
and/or just change a+w to u+w on that line.
Note that just installing a fixed automake is not enough.
You must also rerun it, in order to regenerate each offending
Makefile.in. This means that if you ever unpack an old tarball
and run "make distcheck" using that, you may be vulnerable.
If you're about to make a release, be sure to regenerate your
Makefile.in files with a fixed automake before doing that so
that people who use your release tarball are not vulnerable.
More information about the devel
mailing list