CVE-2012-3386

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2012-3386
The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.

4.4 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76 Exploit Patch
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089187.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087538.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087665.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00038.html
http://rhn.redhat.com/errata/RHSA-2013-0526.html
http://www.mandriva.com/security/advisories?name=MDVSA-2012:103
https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html Patch
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html Patch
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gnu:automake:*:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.0:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:p1:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:p2:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:p3:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:p4:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:p5:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.4:p6:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.6.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.6.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.7:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.8:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.7.9:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.8:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.8.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.8.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.8.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.8.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.9.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.10:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.10.0.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.10.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.10.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.11.2:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.11.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.11.4:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.12:*:*:*:*:*:*:*
cpe:2.3:a:gnu:automake:1.12.1:*:*:*:*:*:*:*
History

13 Feb 2023, 04:33

Type Values Removed Values Added
Summary It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck". The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
References
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=838286', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=838286', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0526', 'name': 'https://access.redhat.com/errata/RHSA-2013:0526', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:1243', 'name': 'https://access.redhat.com/errata/RHSA-2014:1243', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2012-3386', 'name': 'https://access.redhat.com/security/cve/CVE-2012-3386', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 14:16

Type Values Removed Values Added
References
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=838286 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0526 -
  • (MISC) https://access.redhat.com/errata/RHSA-2014:1243 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2012-3386 -
Summary The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
Information

Published : 2012-08-07 21:55

Updated : 2023-12-10 11:16

NVD link : CVE-2012-3386

Mitre link : CVE-2012-3386

CVE.ORG link : CVE-2012-3386

JSON object : View

Products Affected

gnu

  • automake
CWE
CWE-264

Permissions, Privileges, and Access Controls

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')