CVE-2009-4029
Automake: Race condition by creation of "distdir" based directory hierarchy
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
Las reglas (1) dist o (2) distcheck en GNU Automake v1.11.1, v1.10.3, branch-1-4 a branch-1-9, cuando se genera una distribución mediante fichero .tar de un paquete que usa Automake, asignan permisos inseguros (777) a los directorios en el árbol de construcción, lo que introduce una condición de carrera que permite modificar, a los usuarios locales, el contenido de los archivos del paquete, la introducción de troyanos, o llevar a cabo otros ataques antes de que la construcción se haya completado.
This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2011. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-11-20 CVE Reserved
- 2009-12-20 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-07 CVE Updated
- 2024-08-07 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html | Mailing List | |
| http://lists.gnu.org/archive/html/automake/2009-12/msg00011.html | Mailing List | |
| http://lists.gnu.org/archive/html/automake/2009-12/msg00013.html | Mailing List | |
| http://savannah.gnu.org/forum/forum.php?forum_id=6077 | X_refsource_confirm | |
| http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0071 | X_refsource_confirm | |
| http://www.securityfocus.com/archive/1/514526/100/0/threaded | Mailing List | |
| http://www.vupen.com/english/advisories/2009/3579 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11717 | Signature |
| URL | Date | SRC |
|---|---|---|
| http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html | 2024-08-07 |
| URL | Date | SRC |
|---|---|---|
| http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html | 2018-10-10 |
| URL | Date | SRC |
|---|---|---|
| http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021784.1-1 | 2018-10-10 | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2010:203 | 2018-10-10 | |
| https://access.redhat.com/security/cve/CVE-2009-4029 | 2010-03-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=542609 | 2010-03-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gnu Search vendor "Gnu" | Automake Search vendor "Gnu" for product "Automake" | 1.10.3 Search vendor "Gnu" for product "Automake" and version "1.10.3" | - |
Affected
| ||||||
| Gnu Search vendor "Gnu" | Automake Search vendor "Gnu" for product "Automake" | 1.11.1 Search vendor "Gnu" for product "Automake" and version "1.11.1" | - |
Affected
| ||||||
| Gnu Search vendor "Gnu" | Automake Search vendor "Gnu" for product "Automake" | branch Search vendor "Gnu" for product "Automake" and version "branch" | 1-9 |
Affected
| ||||||