| Name | CVE-2009-4029 |
| Description | The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| automake | source | (unstable) | 1:1.4-p6-13.1 | |||
| automake1.10 | source | (unstable) | 1:1.10.3-1 | |||
| automake1.7 | source | (unstable) | 1.7.9-9.1 | |||
| automake1.9 | source | (unstable) | 1.9.6+nogfdl-3.1 |
[lenny] - automake <no-dsa> (Minor issue)
[lenny] - automake1.9 <no-dsa> (Minor issue)
[lenny] - automake1.7 <no-dsa> (Minor issue)
[lenny] - automake1.10 <no-dsa> (Minor issue)
spu will be released to avoid spreading the bug even further
http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html