[gentoo-announce] [ GLSA 201310-15 ] GNU Automake: Multiple vulnerabilities - gentoo-announce

From:	Chris Reffett <creffett@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201310-15 ] GNU Automake: Multiple vulnerabilities
Date:	Sat, 26 Oct 2013 00:17:37
Message-Id:	`526B09B2.3010400@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201310-15

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: GNU Automake: Multiple vulnerabilities

9

     Date: October 25, 2013

10

     Bugs: #295357, #426336

11

       ID: 201310-15

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in GNU Automake, allowing

19

local arbitrary command execution with the privileges of the user

20

running an Automake-based build.

21

22

Background

23

==========

24

25

GNU Automake is a tool for automatically generating Makefile.in files

26

compliant with the GNU Coding Standards.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  sys-devel/automake           < 1.11.6                  >= 1.11.6

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in GNU Automake. Please

40

review the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

A local attacker could execute arbitrary commands with the privileges

46

of the user running an Automake-based build.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All Automake users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=sys-devel/automake-1.11.6"

60

61

References

62

==========

63

64

[ 1 ] CVE-2009-4029

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4029

66

[ 2 ] CVE-2012-3386

67

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3386

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

 http://security.gentoo.org/glsa/glsa-201310-15.xml

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users' machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

https://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2013 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201310-15
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: GNU Automake: Multiple vulnerabilities
9	Date: October 25, 2013
10	Bugs: #295357, #426336
11	ID: 201310-15
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in GNU Automake, allowing
19	local arbitrary command execution with the privileges of the user
20	running an Automake-based build.
21
22	Background
23	==========
24
25	GNU Automake is a tool for automatically generating Makefile.in files
26	compliant with the GNU Coding Standards.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 sys-devel/automake < 1.11.6 >= 1.11.6
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in GNU Automake. Please
40	review the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	A local attacker could execute arbitrary commands with the privileges
46	of the user running an Automake-based build.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All Automake users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=sys-devel/automake-1.11.6"
60
61	References
62	==========
63
64	[ 1 ] CVE-2009-4029
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4029
66	[ 2 ] CVE-2012-3386
67	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3386
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	http://security.gentoo.org/glsa/glsa-201310-15.xml
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users' machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	https://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2013 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	http://creativecommons.org/licenses/by-sa/2.5