Vigil@nce: GNU M4, file modification via dist and distcheck
March 2010 by Vigil@nce
When the dist and distcheck targets of GNU M4 are used, a local
attacker can alter a file.
– Severity: 2/4
– Consequences: data creation/edition
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 25/02/2010
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The GNU M4 program generates files from macros.
However, GNU M4 can use a vulnerable version of GNU Automake
(VIGILANCE-VUL-9302 (https://vigilance.fr/tree/1/9302)).
When the dist and distcheck targets of GNU M4 are used, a local
attacker can therefore alter a file.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-9475
– Url: http://vigilance.fr/vulnerability/GNU-M4-file-modification-via-dist-and-distcheck-9475