lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1P69e4-0008Tf-SC@titan.mandriva.com>
Date: Thu, 14 Oct 2010 00:18:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:203 ] automake

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:203
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : automake
 Date    : October 13, 2010
 Affected: 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0,
           Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability was discovered and corrected in automake:
 
 The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3,
 and release branches branch-1-4 through branch-1-9, when producing a
 distribution tarball for a package that uses Automake, assign insecure
 permissions (777) to directories in the build tree, which introduces
 a race condition that allows local users to modify the contents of
 package files, introduce Trojan horse programs, or conduct other
 attacks before the build is complete (CVE-2009-4029).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4029
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 0c9a86418e378031264bcbcbbe2b04b6  2009.0/i586/automake-1.10.1-2.1mdv2009.0.noarch.rpm
 4fc2dfe601ee74ab1ef1e03e5e8a75ee  2009.0/i586/automake1.4-1.4.0.p6-4.1mdv2009.0.noarch.rpm
 3d478e2d1726c94e8ae35bebf70eec05  2009.0/i586/automake1.7-1.7.9-7.1mdv2009.0.noarch.rpm 
 a680fb0cfb28b358ae775387e68023a6  2009.0/SRPMS/automake-1.10.1-2.1mdv2009.0.src.rpm
 559b15e18ab730bb8122d3713aaf65ff  2009.0/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.0.src.rpm
 fe3c9f108aa90ff63f332f3e2e3b7ddd  2009.0/SRPMS/automake1.7-1.7.9-7.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ba63c56fa57da75dabc19a0374d677f9  2009.0/x86_64/automake-1.10.1-2.1mdv2009.0.noarch.rpm
 9a9e212a84c940d8259dfc6aea307f22  2009.0/x86_64/automake1.4-1.4.0.p6-4.1mdv2009.0.noarch.rpm
 fd0ade93924698734c41cd8f7e886c89  2009.0/x86_64/automake1.7-1.7.9-7.1mdv2009.0.noarch.rpm 
 a680fb0cfb28b358ae775387e68023a6  2009.0/SRPMS/automake-1.10.1-2.1mdv2009.0.src.rpm
 559b15e18ab730bb8122d3713aaf65ff  2009.0/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.0.src.rpm
 fe3c9f108aa90ff63f332f3e2e3b7ddd  2009.0/SRPMS/automake1.7-1.7.9-7.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 6209c11c3fbec0f282cb2b8a46018b40  2009.1/i586/automake-1.10.2-2.1mdv2009.1.noarch.rpm
 8c008b002e2331fee7553bc9011e95da  2009.1/i586/automake1.4-1.4.0.p6-4.1mdv2009.1.noarch.rpm
 6d8f3d4de2fa18b75b42d3550c3b05b1  2009.1/i586/automake1.7-1.7.9-8.1mdv2009.1.noarch.rpm 
 fb8bc2660685f16592c6ff4e0e59971a  2009.1/SRPMS/automake-1.10.2-2.1mdv2009.1.src.rpm
 c0e18f0831a53982acfd6843f3666ae9  2009.1/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.1.src.rpm
 79d9a5f762d0bba9c1ce3c0d3cdbd150  2009.1/SRPMS/automake1.7-1.7.9-8.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 f28db675bc5616a072cb8b09e6248575  2009.1/x86_64/automake-1.10.2-2.1mdv2009.1.noarch.rpm
 cdbf431adc21424d42c7cbf5b7c64d14  2009.1/x86_64/automake1.4-1.4.0.p6-4.1mdv2009.1.noarch.rpm
 e5a18890dc5aa550a996bfe4630dee31  2009.1/x86_64/automake1.7-1.7.9-8.1mdv2009.1.noarch.rpm 
 fb8bc2660685f16592c6ff4e0e59971a  2009.1/SRPMS/automake-1.10.2-2.1mdv2009.1.src.rpm
 c0e18f0831a53982acfd6843f3666ae9  2009.1/SRPMS/automake1.4-1.4.0.p6-4.1mdv2009.1.src.rpm
 79d9a5f762d0bba9c1ce3c0d3cdbd150  2009.1/SRPMS/automake1.7-1.7.9-8.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 51e91e71cc933f6c9cc35a0883034a45  2010.0/i586/automake-1.11-2.1mdv2010.0.noarch.rpm
 4ffc72ee0e6a95eb1b3e23fe0c925186  2010.0/i586/automake1.4-1.4.0.p6-5.1mdv2010.0.noarch.rpm
 297ea17132297e93e1dbb16ce625426e  2010.0/i586/automake1.7-1.7.9-9.1mdv2010.0.noarch.rpm 
 1261aaca3afee73e54b46986619629ce  2010.0/SRPMS/automake-1.11-2.1mdv2010.0.src.rpm
 dab67287822c03d9f5c1b3258b9966e7  2010.0/SRPMS/automake1.4-1.4.0.p6-5.1mdv2010.0.src.rpm
 b35957d919915af0d2217a20c17383e0  2010.0/SRPMS/automake1.7-1.7.9-9.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 2d01ac29e81cec495ebdb563aead0ac4  2010.0/x86_64/automake-1.11-2.1mdv2010.0.noarch.rpm
 2770e86fc1ad236244086e85968bec29  2010.0/x86_64/automake1.4-1.4.0.p6-5.1mdv2010.0.noarch.rpm
 1c7194f25b3eb9fc46e4b2305ccd7215  2010.0/x86_64/automake1.7-1.7.9-9.1mdv2010.0.noarch.rpm 
 1261aaca3afee73e54b46986619629ce  2010.0/SRPMS/automake-1.11-2.1mdv2010.0.src.rpm
 dab67287822c03d9f5c1b3258b9966e7  2010.0/SRPMS/automake1.4-1.4.0.p6-5.1mdv2010.0.src.rpm
 b35957d919915af0d2217a20c17383e0  2010.0/SRPMS/automake1.7-1.7.9-9.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 361775a94a47343a4dc628cd9a0783c4  2010.1/i586/automake1.4-1.4.0.p6-6.1mdv2010.1.noarch.rpm
 17abbdd83bf3a08946746fa164783e74  2010.1/i586/automake1.7-1.7.9-10.1mdv2010.1.noarch.rpm 
 2336a0f58300455bebd0835b902a27e4  2010.1/SRPMS/automake1.4-1.4.0.p6-6.1mdv2010.1.src.rpm
 febf744e0a82a47fc706c8d94b6910f1  2010.1/SRPMS/automake1.7-1.7.9-10.1mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 b471a0576ffe7c5c5ec783dacb9daf84  2010.1/x86_64/automake1.4-1.4.0.p6-6.1mdv2010.1.noarch.rpm
 4c54e4fa19ab41fa81674f420da5af69  2010.1/x86_64/automake1.7-1.7.9-10.1mdv2010.1.noarch.rpm 
 2336a0f58300455bebd0835b902a27e4  2010.1/SRPMS/automake1.4-1.4.0.p6-6.1mdv2010.1.src.rpm
 febf744e0a82a47fc706c8d94b6910f1  2010.1/SRPMS/automake1.7-1.7.9-10.1mdv2010.1.src.rpm

 Corporate 4.0:
 1b9b2b4cc374ad68c1211acf2e2e35af  corporate/4.0/i586/automake1.4-1.4.0.p6-1.1.20060mlcs4.noarch.rpm
 2ab36bd592dd6af25d5a7049922e06bd  corporate/4.0/i586/automake1.7-1.7.9-2.1.20060mlcs4.noarch.rpm
 de9f0932e60c09f5252181e2179e9dc8  corporate/4.0/i586/automake1.8-1.9.4-3.1.20060mlcs4.noarch.rpm 
 ffe7539a7dd4e1c5030b8914b784a92e  corporate/4.0/SRPMS/automake1.4-1.4.0.p6-1.1.20060mlcs4.src.rpm
 97db91a9a2a5d7c5b355ded1e915ba04  corporate/4.0/SRPMS/automake1.7-1.7.9-2.1.20060mlcs4.src.rpm
 b225ff161b44f22253be0033f79d4ab3  corporate/4.0/SRPMS/automake1.8-1.9.4-3.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 dec0a40c05141421e73538cdffacd3ef  corporate/4.0/x86_64/automake1.4-1.4.0.p6-1.1.20060mlcs4.noarch.rpm
 a2afb0966934e7ad49dea501c75f2fa3  corporate/4.0/x86_64/automake1.7-1.7.9-2.1.20060mlcs4.noarch.rpm
 9cf084221095d9fe8464b71e9e16306b  corporate/4.0/x86_64/automake1.8-1.9.4-3.1.20060mlcs4.noarch.rpm 
 ffe7539a7dd4e1c5030b8914b784a92e  corporate/4.0/SRPMS/automake1.4-1.4.0.p6-1.1.20060mlcs4.src.rpm
 97db91a9a2a5d7c5b355ded1e915ba04  corporate/4.0/SRPMS/automake1.7-1.7.9-2.1.20060mlcs4.src.rpm
 b225ff161b44f22253be0033f79d4ab3  corporate/4.0/SRPMS/automake1.8-1.9.4-3.1.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 2f8bedd06e7e330a52408567cbe07482  mes5/i586/automake-1.10.1-2.1mdvmes5.1.noarch.rpm
 502622b8aff54b4b7a57381ea3164ac5  mes5/i586/automake1.4-1.4.0.p6-4.1mdvmes5.1.noarch.rpm
 ee144b522221c29c8289258fe921b758  mes5/i586/automake1.7-1.7.9-7.1mdvmes5.1.noarch.rpm 
 cfc8fe684f7657e43f0213343605cc24  mes5/SRPMS/automake-1.10.1-2.1mdvmes5.1.src.rpm
 24dab66fae4d20ee3e61b085a9a21384  mes5/SRPMS/automake1.4-1.4.0.p6-4.1mdvmes5.1.src.rpm
 b6b86155ca3d270c5c45806f4b45d282  mes5/SRPMS/automake1.7-1.7.9-7.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 186358ad64acf12972b2f13c97ec2298  mes5/x86_64/automake-1.10.1-2.1mdvmes5.1.noarch.rpm
 393dd66fdbba59d85237146c6c593f53  mes5/x86_64/automake1.4-1.4.0.p6-4.1mdvmes5.1.noarch.rpm
 722d8809f32d9a038f55d4619502277f  mes5/x86_64/automake1.7-1.7.9-7.1mdvmes5.1.noarch.rpm 
 cfc8fe684f7657e43f0213343605cc24  mes5/SRPMS/automake-1.10.1-2.1mdvmes5.1.src.rpm
 24dab66fae4d20ee3e61b085a9a21384  mes5/SRPMS/automake1.4-1.4.0.p6-4.1mdvmes5.1.src.rpm
 b6b86155ca3d270c5c45806f4b45d282  mes5/SRPMS/automake1.7-1.7.9-7.1mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMtf68mqjQ0CJFipgRAuD/AJ4kczw8DHZ/qYqSIEzOFBZ8d2s0XQCdEBtf
X3b5+C2azF+YazaE6POY6sE=
=TMoQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ