Vigil@nce: GNU Automake, file modification via dist and distcheck
December 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When the dist and distcheck targets of GNU Automake are used, a
local attacker can alter a file.
Severity: 2/4
Consequences: user access/rights, data creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 18/12/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The GNU Automake program is used to compile several applications.
The "dist" target generates a source distribution, and the
"distcheck" target checks it. For compatibility with old tar
programs, the distribution is created with the mode 0777. A local
attacker can therefore alter a file of the distribution. For
example, by modifying the "configure" file, attacker’s code will
be executed during the preparation of the compilation.
A local attacker can therefore alter a file handled by GNU
Automake, in order for example to execute code.
CHARACTERISTICS
Identifiers: BID-37378, CVE-2009-4029, VIGILANCE-VUL-9302
http://vigilance.fr/vulnerability/GNU-Automake-file-modification-via-dist-and-distcheck-9302