[Secure-testing-team] Bug#570850: automake: Fix CVE-2009-4029 in Lenny/stable

Sylvain Beucler beuc at beuc.net
Sun Feb 21 21:03:39 UTC 2010 

Package: automake
Version: 1:1.10.1-3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

Please fix CVE-2009-4029 in automake 1.10.

I create my upstream releases from a Debian stable box, and I was
surprised to see that the generated Makefile.in's still have
instructions for 777 directories.

Attached is a patch :)

Cheers!

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages automake depends on:
ii  autoconf                      2.61-8     automatic configure script builder
ii  autotools-dev                 20080123.1 Update infrastructure for config.{

automake recommends no packages.

automake suggests no packages.

-- no debconf information
-------------- next part --------------
--- automake1.10-1.10.1/debian/changelog
+++ automake1.10-1.10.1/debian/changelog
@@ -1,3 +1,11 @@
+automake1.10 (1:1.10.1-4) stable-security; urgency=high
+
+  [ Sylvain Beucler ]
+  * Fix CVE-2009-4029, which created world-writable directories in
+    distribution tarballs.
+
+ -- Eric Dorland <eric at debian.org>  Sun, 21 Feb 2010 21:45:48 +0100
+
 automake1.10 (1:1.10.1-3) unstable; urgency=low
 
   * debian/automake.postinst: Bump up the priority to 28 so that it wins
--- automake1.10-1.10.1.orig/lib/am/distdir.am
+++ automake1.10-1.10.1/lib/am/distdir.am
@@ -196,11 +196,7 @@
 endif %?DIST-TARGETS%
 ##
 ## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked.  It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
 ##
 ## Ignore return result from chmod, because it might give an error
 ## if we chmod a symlink.
@@ -213,7 +209,8 @@
 ## the file in place in the source tree.
 ##
 if %?TOPDIR_P%
-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	-find $(distdir) -type d ! -perm -755 \
+	      -exec chmod u+rwx,go+rx {} \; -o \
 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \

More information about the Secure-testing-team mailing list