Symlink Vulnerability in GNU automake <1.8.3

From: Stefan Nordhausen (deletethis.nordhaus_at_informatik.hu-berlin.de)
Date: 03/08/04

  • Next message: OpenPKG: "[OpenPKG-SA-2004.004] OpenPKG Security Advisory (libtool)"
    Date: Mon, 08 Mar 2004 15:47:12 +0100
    To: bugtraq@securityfocus.com
    
    

    Vulnerable: GNU automake <1.8.3
    Not Vulnerable: GNU automake 1.8.3
    Project website: http://www.gnu.org/software/automake/

    Description of libtool (from website):
    "Automake is a tool for automatically generating `Makefile.in' files
    compliant with the GNU Coding Standards."

    Discussion:
    The Makefiles generated by automake insecurely create temporary
    directories. Because the insecure code is inside the Makefile this bug
    can only be exploited during compile time.

    The bug original report with some more detail can be found at
    http://sources.redhat.com/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&database=automake&pr=413

    Solution:
    This vulnerability has been fixed in GNU automake 1.8.3 which is the
    current stable release. Programmers should update their automake
    packages and re-create their Makefiles if they were created using GNU
    automake.

    Regards
    Stefan Nordhausen

    --
    If you put garbage in a computer nothing comes out but garbage. But this 
    garbage, having passed through a very expensive machine, is somehow 
    enobled and none dare criticize it.
    

  • Next message: OpenPKG: "[OpenPKG-SA-2004.004] OpenPKG Security Advisory (libtool)"

    Relevant Pages

    • kernel 2.6 compile error
      ... compile using make-kpkg. ... here is the command that is used to do so... ... here are the gcc,g++,make and automake packages i am using.. ... automake (GNU automake) 1.4-p6 ...
      (Debian-User)
    • Re: gnuplot4.1 build on Mac OS X Tiger failed
      ... Peter Appel wrote: ... automake (GNU automake) 1.6.3 ... There's your first problem. ...
      (comp.graphics.apps.gnuplot)