CVE-2012-3386: Information disclosure

Debian Bug report logs - #681097
CVE-2012-3386: Information disclosure

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-3386: Information disclosure

Date: Tue, 10 Jul 2012 17:58:37 +0200

Package: automake
Version: 1:1.11-1.2.201001121001
Severity: important
Tags: security

Hi,
a security issue has been found in automake. It's not earth-shattering, but we should
still get it into Wheezy.

http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572

This also affects the source packages automake, automake1.7, automake1.9 and
automake1.10...

Cheers,
        Moritz

Message #10 received at 681097@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 681097@bugs.debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Tue, 10 Jul 2012 14:44:02 -0400

[Message part 1 (text/plain, inline)]

tags 681097 squeeze
found 681097 1:1.11.1-1
clone 681097 -1 -2 -3 -4
reassign -1 automake1.10
found -1 1:1.10.3.1
reassign -2 automake1.9
found -2 1.9.6+nogfdl-3.1
reassign -3 automake1.7
found -3 1.7.9-9.1
reassign -4 automake1.4
found -4 1:1.4-p6-13.1
thanks

Thanks Moritz, forking off bugs for each version. This is going to be
no fun :)

* Moritz Muehlenhoff (muehlenhoff@univention.de) wrote:
> Package: automake
> Version: 1:1.11-1.2.201001121001
> Severity: important
> Tags: security
> 
> Hi,
> a security issue has been found in automake. It's not earth-shattering, but we should
> still get it into Wheezy.
> 
> http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
> 
> This also affects the source packages automake, automake1.7, automake1.9 and
> automake1.10...
> 
> Cheers,
>         Moritz
> 
> 

-- 
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 681097-close@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: 681097-close@bugs.debian.org

Subject: Bug#681097: fixed in automake1.11 1:1.11.6-1

Date: Tue, 10 Jul 2012 21:47:09 +0000

Source: automake1.11
Source-Version: 1:1.11.6-1

We believe that the bug you reported is fixed in the latest version of
automake1.11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated automake1.11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Jul 2012 16:24:23 -0400
Source: automake1.11
Binary: automake
Architecture: source all
Version: 1:1.11.6-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description: 
 automake   - Tool for generating GNU Standards-compliant Makefiles
Closes: 681097
Changes: 
 automake1.11 (1:1.11.6-1) unstable; urgency=low
 .
   * New upstream release. Fixes CVE-2012-3386 "Temporary worldwide write
     permissions during make distcheck". (Closes: #681097)
Checksums-Sha1: 
 879a14af9152b46f6a142e827b8a5fc05b13efb2 1346 automake1.11_1.11.6-1.dsc
 765cd19ffefb57604b7208f925b56803166484e9 1092908 automake1.11_1.11.6.orig.tar.xz
 ab4e8ac687014cdd32c7c51f69b3f46c77ca5e03 6556 automake1.11_1.11.6-1.debian.tar.bz2
 2193cb908a6a5930d03ebe8d441810db6be7ca4f 607376 automake_1.11.6-1_all.deb
Checksums-Sha256: 
 873493fd9e91ec83c361bdda779288771a8d1ce777729c2c83a8fa8482616e60 1346 automake1.11_1.11.6-1.dsc
 1ffbc6cc41f0ea6c864fbe9485b981679dc5e350f6c4bc6c3512f5a4226936b5 1092908 automake1.11_1.11.6.orig.tar.xz
 16f89dba0d512eebc82f3991abec64ff6b21afb8709c0f4939aed301c59bb3ee 6556 automake1.11_1.11.6-1.debian.tar.bz2
 361f92c240614b4d42347fd2e5fae6dc611e7cef2c16bec3a0a2f70768e4dd5e 607376 automake_1.11.6-1_all.deb
Files: 
 cc76e0cad7057de8af3cfdc8e073b414 1346 devel optional automake1.11_1.11.6-1.dsc
 cf4752287ad708f83bd3689da57a32c9 1092908 devel optional automake1.11_1.11.6.orig.tar.xz
 3435cb28184e96eea2959d04757a0708 6556 devel optional automake1.11_1.11.6-1.debian.tar.bz2
 8971b0691f5a19af9efca6afdee36c31 607376 devel optional automake_1.11.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/8n8sACgkQYemOzxbZcMa+VQCgoZSn/80AuqCdt9l+QZwzm/ti
rZEAnAuIz/tJNK4TSuXh92UpbvoUzTpP
=7AHK
-----END PGP SIGNATURE-----

Message #26 received at 681097@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 681097@bugs.debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Thu, 12 Jul 2012 22:45:25 -0400

[Message part 1 (text/plain, inline)]

* Moritz Muehlenhoff (muehlenhoff@univention.de) wrote:
> Package: automake
> Version: 1:1.11-1.2.201001121001
> Severity: important
> Tags: security
> 
> Hi,
> a security issue has been found in automake. It's not earth-shattering, but we should
> still get it into Wheezy.
> 
> http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
> 
> This also affects the source packages automake, automake1.7, automake1.9 and
> automake1.10...

It looks like it doesn't affect automake1.4, but I'm awaiting
confirmation. Should I prepare a stable update as well or is it not
worth it?

-- 
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 681097@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <muehlenhoff@univention.de>

To: Eric Dorland <eric@debian.org>

Cc: 681097@bugs.debian.org, jmw@debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Fri, 13 Jul 2012 15:06:34 +0200

On Freitag, 13. Juli 2012 04:45:25 Eric Dorland wrote:
> * Moritz Muehlenhoff (muehlenhoff@univention.de) wrote:
> > Package: automake
> > Version: 1:1.11-1.2.201001121001
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > a security issue has been found in automake. It's not earth-shattering,
> > but we should still get it into Wheezy.
> > 
> > http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
> > 
> > This also affects the source packages automake, automake1.7, automake1.9
> > and automake1.10...
> 
> It looks like it doesn't affect automake1.4, but I'm awaiting
> confirmation. Should I prepare a stable update as well or is it not
> worth it?

It doesn't warrant a DSA, but such issues can be fixed in a Squeeze point 
update. I'm adding Jonathan Wiltshire to CC, who's coordinating this process.

Cheers,
Moritz
-- 
Moritz Mühlenhoff                         muehlenhoff@univention.de
Open Source Software Engineer
Univention GmbH  be open.                        fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen          fax: +49 421 22 232-99
http://www.univention.de

Message #36 received at 681097@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 681097@bugs.debian.org

Subject: Re: CVE-2012-3386: Information disclosure

Date: Sat, 14 Jul 2012 11:15:02 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/681097/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #41 received at 681097@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>, 681097@bugs.debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Wed, 25 Jul 2012 00:32:32 -0400

[Message part 1 (text/plain, inline)]

Sorry Jonathan, due to some personal commitments and the flu I haven't
gotten to this yet. But I'll prepare these by the end of the week.

* Jonathan Wiltshire (jmw@debian.org) wrote:
> Dear maintainer,
> 
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> squeeze (6.0.6) - use target "stable"
> 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
> 
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track [1] the progress of this request.
> 
> For details of this process and the rationale, please see the original
> announcement [2] and my blog post [3].
> 
> 0: debian-release@lists.debian.org
> 1: http://prsc.debian.net/tracker/681097/
> 2: <201101232332.11736.thijs@debian.org>
> 3: http://deb.li/prsc
> 
> Thanks,
> 
> with his security hat on:

-- 
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 681097@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Eric Dorland <eric@debian.org>

Cc: Jonathan Wiltshire <jmw@debian.org>, 681097@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Sun, 29 Jul 2012 22:38:46 +0100

On Wed, 2012-07-25 at 00:32 -0400, Eric Dorland wrote:
> Sorry Jonathan, due to some personal commitments and the flu I haven't
> gotten to this yet. But I'll prepare these by the end of the week.

It appears this was uploaded already, as it's now sitting in p-u-NEW.
Now that that's happened, it will get processed in due course, but for
any future issues, please bear in mind that Jonathan's message said:

> > Please prepare a minimal-changes upload targetting each of these suites,
> > and submit a debdiff to the Release Team [0] for consideration. They will
> > offer additional guidance or instruct you to upload your package.
[...]
>> 0: debian-release@lists.debian.org

We should consider changing that to be a request to file a bug, but in
any case the discussion is intended to happen /before/ the upload, not
as a result of it.

Regards,

Adam

Message #51 received at 681097@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@kuroneko.ca>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Jonathan Wiltshire <jmw@debian.org>, 681097@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Sun, 29 Jul 2012 18:25:39 -0400

[Message part 1 (text/plain, inline)]

* Adam D. Barratt (adam@adam-barratt.org.uk) wrote:
> On Wed, 2012-07-25 at 00:32 -0400, Eric Dorland wrote:
> > Sorry Jonathan, due to some personal commitments and the flu I haven't
> > gotten to this yet. But I'll prepare these by the end of the week.
> 
> It appears this was uploaded already, as it's now sitting in p-u-NEW.
> Now that that's happened, it will get processed in due course, but for
> any future issues, please bear in mind that Jonathan's message said:
> 
> > > Please prepare a minimal-changes upload targetting each of these suites,
> > > and submit a debdiff to the Release Team [0] for consideration. They will
> > > offer additional guidance or instruct you to upload your package.
> [...]
> >> 0: debian-release@lists.debian.org
> 
> We should consider changing that to be a request to file a bug, but in
> any case the discussion is intended to happen /before/ the upload, not
> as a result of it.

Sorry about that. I didn't reread the instructions when I was
preparing the package and forgot this step. Attached is the debdiff. I
still need to upload automake1.10, automake1.9 and automake1.7. Would
you like to see those diffs as well? They will be the same. 

-- 
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com

[automake1.11_1.11.1-1+squeeze1_src.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 681097@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Eric Dorland <eric@kuroneko.ca>

Cc: Jonathan Wiltshire <jmw@debian.org>, 681097@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#681097: CVE-2012-3386: Information disclosure

Date: Mon, 30 Jul 2012 19:55:42 +0100

On Sun, 2012-07-29 at 18:25 -0400, Eric Dorland wrote:
> * Adam D. Barratt (adam@adam-barratt.org.uk) wrote:
> > On Wed, 2012-07-25 at 00:32 -0400, Eric Dorland wrote:
> > > Sorry Jonathan, due to some personal commitments and the flu I haven't
> > > gotten to this yet. But I'll prepare these by the end of the week.
> > 
> > It appears this was uploaded already, as it's now sitting in p-u-NEW.
[...]
> Sorry about that. I didn't reread the instructions when I was
> preparing the package and forgot this step. Attached is the debdiff. I
> still need to upload automake1.10, automake1.9 and automake1.7. Would
> you like to see those diffs as well? They will be the same. 

Thanks for the 1.9 and 1.10 diffs; I've just replied to those.  Would it
be possible to get a diff for the proposed 1.7 update, please?

I've just flagged the automake1.11 upload for acceptance in to
proposed-updates.

Regards,

Adam

Message #61 received at 681097-close@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: 681097-close@bugs.debian.org

Subject: Bug#681097: fixed in automake1.11 1:1.11.1-1+squeeze1

Date: Mon, 30 Jul 2012 19:02:08 +0000

Source: automake1.11
Source-Version: 1:1.11.1-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
automake1.11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated automake1.11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 29 Jul 2012 03:19:19 -0400
Source: automake1.11
Binary: automake
Architecture: source all
Version: 1:1.11.1-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description: 
 automake   - A tool for generating GNU Standards-compliant Makefiles
Closes: 681097
Changes: 
 automake1.11 (1:1.11.1-1+squeeze1) stable; urgency=low
 .
   * lib/am/distdir.am: Fixes CVE-2012-3386 "Temporary worldwide write
     permissions during make distcheck". (Closes: #681097)
Checksums-Sha1: 
 2fbe62e65c574864db14d192a9cc169e99c25de2 1316 automake1.11_1.11.1-1+squeeze1.dsc
 f6c8d8b27886c4b238b772c7fb63128fc0a0a090 6532 automake1.11_1.11.1-1+squeeze1.debian.tar.bz2
 1bcc1cc81dfe9d039b44dda26131cf97e7d113be 610936 automake_1.11.1-1+squeeze1_all.deb
Checksums-Sha256: 
 e32016cdef33013ff27a39ba0776d4ea4a75e06d99b2fac1eaa050db9c56b701 1316 automake1.11_1.11.1-1+squeeze1.dsc
 5f0ef5fb9e0debeb654bf2840c8968cd21a5422ba7f6641ba53273f7d761b77b 6532 automake1.11_1.11.1-1+squeeze1.debian.tar.bz2
 25f54f4b8da23bbb8e53721dde022e0f229452e588d2c23a698085de939280a9 610936 automake_1.11.1-1+squeeze1_all.deb
Files: 
 e86ffc0f025f7215935d0459cb001d88 1316 devel optional automake1.11_1.11.1-1+squeeze1.dsc
 628d1cbb259e2c98e80d4204f9b45594 6532 devel optional automake1.11_1.11.1-1+squeeze1.debian.tar.bz2
 4328d731e0e228598aaf791f1178d4a8 610936 devel optional automake_1.11.1-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlAVoR4ACgkQYemOzxbZcMYFkgCfTScSH0KF2JbajRd9iOULR1Fi
k88AnRIN8FwtbiH2hEn5VtF/n7M4vn5E
=O48G
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.