Debian Bug report logs -
#681097
CVE-2012-3386: Information disclosure
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 10 Jul 2012 16:00:01 UTC
Severity: important
Tags: security, squeeze
Found in versions automake1.11/1:1.11.1-1, 1:1.11-1.2.201001121001
Fixed in versions automake1.11/1:1.11.6-1, automake1.11/1:1.11.1-1+squeeze1
Done: Eric Dorland <eric@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Eric Dorland <eric@debian.org>
:
Bug#681097
; Package automake
.
(Tue, 10 Jul 2012 16:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Eric Dorland <eric@debian.org>
.
(Tue, 10 Jul 2012 16:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: automake
Version: 1:1.11-1.2.201001121001
Severity: important
Tags: security
Hi,
a security issue has been found in automake. It's not earth-shattering, but we should
still get it into Wheezy.
http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
This also affects the source packages automake, automake1.7, automake1.9 and
automake1.10...
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#681097
; Package automake
.
(Tue, 10 Jul 2012 18:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Dorland <eric@debian.org>
:
Extra info received and forwarded to list.
(Tue, 10 Jul 2012 18:51:04 GMT) (full text, mbox, link).
Message #10 received at 681097@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 681097 squeeze
found 681097 1:1.11.1-1
clone 681097 -1 -2 -3 -4
reassign -1 automake1.10
found -1 1:1.10.3.1
reassign -2 automake1.9
found -2 1.9.6+nogfdl-3.1
reassign -3 automake1.7
found -3 1.7.9-9.1
reassign -4 automake1.4
found -4 1:1.4-p6-13.1
thanks
Thanks Moritz, forking off bugs for each version. This is going to be
no fun :)
* Moritz Muehlenhoff (muehlenhoff@univention.de) wrote:
> Package: automake
> Version: 1:1.11-1.2.201001121001
> Severity: important
> Tags: security
>
> Hi,
> a security issue has been found in automake. It's not earth-shattering, but we should
> still get it into Wheezy.
>
> http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
>
> This also affects the source packages automake, automake1.7, automake1.9 and
> automake1.10...
>
> Cheers,
> Moritz
>
>
--
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
[signature.asc (application/pgp-signature, inline)]
Added tag(s) squeeze.
Request was from Eric Dorland <eric@debian.org>
to control@bugs.debian.org
.
(Tue, 10 Jul 2012 18:51:06 GMT) (full text, mbox, link).
Marked as found in versions automake1.11/1:1.11.1-1.
Request was from Eric Dorland <eric@debian.org>
to control@bugs.debian.org
.
(Tue, 10 Jul 2012 18:51:07 GMT) (full text, mbox, link).
Reply sent
to Eric Dorland <eric@debian.org>
:
You have taken responsibility.
(Tue, 10 Jul 2012 21:51:19 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Tue, 10 Jul 2012 21:51:20 GMT) (full text, mbox, link).
Message #21 received at 681097-close@bugs.debian.org (full text, mbox, reply):
Source: automake1.11
Source-Version: 1:1.11.6-1
We believe that the bug you reported is fixed in the latest version of
automake1.11, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 681097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated automake1.11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 10 Jul 2012 16:24:23 -0400
Source: automake1.11
Binary: automake
Architecture: source all
Version: 1:1.11.6-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description:
automake - Tool for generating GNU Standards-compliant Makefiles
Closes: 681097
Changes:
automake1.11 (1:1.11.6-1) unstable; urgency=low
.
* New upstream release. Fixes CVE-2012-3386 "Temporary worldwide write
permissions during make distcheck". (Closes: #681097)
Checksums-Sha1:
879a14af9152b46f6a142e827b8a5fc05b13efb2 1346 automake1.11_1.11.6-1.dsc
765cd19ffefb57604b7208f925b56803166484e9 1092908 automake1.11_1.11.6.orig.tar.xz
ab4e8ac687014cdd32c7c51f69b3f46c77ca5e03 6556 automake1.11_1.11.6-1.debian.tar.bz2
2193cb908a6a5930d03ebe8d441810db6be7ca4f 607376 automake_1.11.6-1_all.deb
Checksums-Sha256:
873493fd9e91ec83c361bdda779288771a8d1ce777729c2c83a8fa8482616e60 1346 automake1.11_1.11.6-1.dsc
1ffbc6cc41f0ea6c864fbe9485b981679dc5e350f6c4bc6c3512f5a4226936b5 1092908 automake1.11_1.11.6.orig.tar.xz
16f89dba0d512eebc82f3991abec64ff6b21afb8709c0f4939aed301c59bb3ee 6556 automake1.11_1.11.6-1.debian.tar.bz2
361f92c240614b4d42347fd2e5fae6dc611e7cef2c16bec3a0a2f70768e4dd5e 607376 automake_1.11.6-1_all.deb
Files:
cc76e0cad7057de8af3cfdc8e073b414 1346 devel optional automake1.11_1.11.6-1.dsc
cf4752287ad708f83bd3689da57a32c9 1092908 devel optional automake1.11_1.11.6.orig.tar.xz
3435cb28184e96eea2959d04757a0708 6556 devel optional automake1.11_1.11.6-1.debian.tar.bz2
8971b0691f5a19af9efca6afdee36c31 607376 devel optional automake_1.11.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/8n8sACgkQYemOzxbZcMa+VQCgoZSn/80AuqCdt9l+QZwzm/ti
rZEAnAuIz/tJNK4TSuXh92UpbvoUzTpP
=7AHK
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#681097
; Package automake
.
(Fri, 13 Jul 2012 02:53:56 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Dorland <eric@debian.org>
:
Extra info received and forwarded to list.
(Fri, 13 Jul 2012 02:54:18 GMT) (full text, mbox, link).
Message #26 received at 681097@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Moritz Muehlenhoff (muehlenhoff@univention.de) wrote:
> Package: automake
> Version: 1:1.11-1.2.201001121001
> Severity: important
> Tags: security
>
> Hi,
> a security issue has been found in automake. It's not earth-shattering, but we should
> still get it into Wheezy.
>
> http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
>
> This also affects the source packages automake, automake1.7, automake1.9 and
> automake1.10...
It looks like it doesn't affect automake1.4, but I'm awaiting
confirmation. Should I prepare a stable update as well or is it not
worth it?
--
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>
:
Bug#681097
; Package automake
.
(Fri, 13 Jul 2012 13:09:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <muehlenhoff@univention.de>
:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>
.
(Fri, 13 Jul 2012 13:09:28 GMT) (full text, mbox, link).
Message #31 received at 681097@bugs.debian.org (full text, mbox, reply):
On Freitag, 13. Juli 2012 04:45:25 Eric Dorland wrote:
> * Moritz Muehlenhoff (muehlenhoff@univention.de) wrote:
> > Package: automake
> > Version: 1:1.11-1.2.201001121001
> > Severity: important
> > Tags: security
> >
> > Hi,
> > a security issue has been found in automake. It's not earth-shattering,
> > but we should still get it into Wheezy.
> >
> > http://thread.gmane.org/gmane.comp.sysutils.automake.patches/8572
> >
> > This also affects the source packages automake, automake1.7, automake1.9
> > and automake1.10...
>
> It looks like it doesn't affect automake1.4, but I'm awaiting
> confirmation. Should I prepare a stable update as well or is it not
> worth it?
It doesn't warrant a DSA, but such issues can be fixed in a Squeeze point
update. I'm adding Jonathan Wiltshire to CC, who's coordinating this process.
Cheers,
Moritz
--
Moritz Mühlenhoff muehlenhoff@univention.de
Open Source Software Engineer
Univention GmbH be open. fon: +49 421 22 232- 0
Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
http://www.univention.de
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>
:
Bug#681097
; Package automake
.
(Sat, 14 Jul 2012 11:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>
.
(Sat, 14 Jul 2012 11:42:03 GMT) (full text, mbox, link).
Message #36 received at 681097@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/681097/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#681097
; Package automake
.
(Wed, 25 Jul 2012 04:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Dorland <eric@debian.org>
:
Extra info received and forwarded to list.
(Wed, 25 Jul 2012 04:42:03 GMT) (full text, mbox, link).
Message #41 received at 681097@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Sorry Jonathan, due to some personal commitments and the flu I haven't
gotten to this yet. But I'll prepare these by the end of the week.
* Jonathan Wiltshire (jmw@debian.org) wrote:
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> squeeze (6.0.6) - use target "stable"
>
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
>
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track [1] the progress of this request.
>
> For details of this process and the rationale, please see the original
> announcement [2] and my blog post [3].
>
> 0: debian-release@lists.debian.org
> 1: http://prsc.debian.net/tracker/681097/
> 2: <201101232332.11736.thijs@debian.org>
> 3: http://deb.li/prsc
>
> Thanks,
>
> with his security hat on:
--
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>
:
Bug#681097
; Package automake
.
(Sun, 29 Jul 2012 21:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>
.
(Sun, 29 Jul 2012 21:45:06 GMT) (full text, mbox, link).
Message #46 received at 681097@bugs.debian.org (full text, mbox, reply):
On Wed, 2012-07-25 at 00:32 -0400, Eric Dorland wrote:
> Sorry Jonathan, due to some personal commitments and the flu I haven't
> gotten to this yet. But I'll prepare these by the end of the week.
It appears this was uploaded already, as it's now sitting in p-u-NEW.
Now that that's happened, it will get processed in due course, but for
any future issues, please bear in mind that Jonathan's message said:
> > Please prepare a minimal-changes upload targetting each of these suites,
> > and submit a debdiff to the Release Team [0] for consideration. They will
> > offer additional guidance or instruct you to upload your package.
[...]
>> 0: debian-release@lists.debian.org
We should consider changing that to be a request to file a bug, but in
any case the discussion is intended to happen /before/ the upload, not
as a result of it.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>
:
Bug#681097
; Package automake
.
(Sun, 29 Jul 2012 22:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Dorland <eric@kuroneko.ca>
:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>
.
(Sun, 29 Jul 2012 22:27:03 GMT) (full text, mbox, link).
Message #51 received at 681097@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Adam D. Barratt (adam@adam-barratt.org.uk) wrote:
> On Wed, 2012-07-25 at 00:32 -0400, Eric Dorland wrote:
> > Sorry Jonathan, due to some personal commitments and the flu I haven't
> > gotten to this yet. But I'll prepare these by the end of the week.
>
> It appears this was uploaded already, as it's now sitting in p-u-NEW.
> Now that that's happened, it will get processed in due course, but for
> any future issues, please bear in mind that Jonathan's message said:
>
> > > Please prepare a minimal-changes upload targetting each of these suites,
> > > and submit a debdiff to the Release Team [0] for consideration. They will
> > > offer additional guidance or instruct you to upload your package.
> [...]
> >> 0: debian-release@lists.debian.org
>
> We should consider changing that to be a request to file a bug, but in
> any case the discussion is intended to happen /before/ the upload, not
> as a result of it.
Sorry about that. I didn't reread the instructions when I was
preparing the package and forgot this step. Attached is the debdiff. I
still need to upload automake1.10, automake1.9 and automake1.7. Would
you like to see those diffs as well? They will be the same.
--
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
[automake1.11_1.11.1-1+squeeze1_src.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>
:
Bug#681097
; Package automake
.
(Mon, 30 Jul 2012 19:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>
.
(Mon, 30 Jul 2012 19:00:06 GMT) (full text, mbox, link).
Message #56 received at 681097@bugs.debian.org (full text, mbox, reply):
On Sun, 2012-07-29 at 18:25 -0400, Eric Dorland wrote:
> * Adam D. Barratt (adam@adam-barratt.org.uk) wrote:
> > On Wed, 2012-07-25 at 00:32 -0400, Eric Dorland wrote:
> > > Sorry Jonathan, due to some personal commitments and the flu I haven't
> > > gotten to this yet. But I'll prepare these by the end of the week.
> >
> > It appears this was uploaded already, as it's now sitting in p-u-NEW.
[...]
> Sorry about that. I didn't reread the instructions when I was
> preparing the package and forgot this step. Attached is the debdiff. I
> still need to upload automake1.10, automake1.9 and automake1.7. Would
> you like to see those diffs as well? They will be the same.
Thanks for the 1.9 and 1.10 diffs; I've just replied to those. Would it
be possible to get a diff for the proposed 1.7 update, please?
I've just flagged the automake1.11 upload for acceptance in to
proposed-updates.
Regards,
Adam
Reply sent
to Eric Dorland <eric@debian.org>
:
You have taken responsibility.
(Mon, 30 Jul 2012 19:03:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Mon, 30 Jul 2012 19:03:07 GMT) (full text, mbox, link).
Message #61 received at 681097-close@bugs.debian.org (full text, mbox, reply):
Source: automake1.11
Source-Version: 1:1.11.1-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
automake1.11, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 681097@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated automake1.11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 29 Jul 2012 03:19:19 -0400
Source: automake1.11
Binary: automake
Architecture: source all
Version: 1:1.11.1-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description:
automake - A tool for generating GNU Standards-compliant Makefiles
Closes: 681097
Changes:
automake1.11 (1:1.11.1-1+squeeze1) stable; urgency=low
.
* lib/am/distdir.am: Fixes CVE-2012-3386 "Temporary worldwide write
permissions during make distcheck". (Closes: #681097)
Checksums-Sha1:
2fbe62e65c574864db14d192a9cc169e99c25de2 1316 automake1.11_1.11.1-1+squeeze1.dsc
f6c8d8b27886c4b238b772c7fb63128fc0a0a090 6532 automake1.11_1.11.1-1+squeeze1.debian.tar.bz2
1bcc1cc81dfe9d039b44dda26131cf97e7d113be 610936 automake_1.11.1-1+squeeze1_all.deb
Checksums-Sha256:
e32016cdef33013ff27a39ba0776d4ea4a75e06d99b2fac1eaa050db9c56b701 1316 automake1.11_1.11.1-1+squeeze1.dsc
5f0ef5fb9e0debeb654bf2840c8968cd21a5422ba7f6641ba53273f7d761b77b 6532 automake1.11_1.11.1-1+squeeze1.debian.tar.bz2
25f54f4b8da23bbb8e53721dde022e0f229452e588d2c23a698085de939280a9 610936 automake_1.11.1-1+squeeze1_all.deb
Files:
e86ffc0f025f7215935d0459cb001d88 1316 devel optional automake1.11_1.11.1-1+squeeze1.dsc
628d1cbb259e2c98e80d4204f9b45594 6532 devel optional automake1.11_1.11.1-1+squeeze1.debian.tar.bz2
4328d731e0e228598aaf791f1178d4a8 610936 devel optional automake_1.11.1-1+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlAVoR4ACgkQYemOzxbZcMYFkgCfTScSH0KF2JbajRd9iOULR1Fi
k88AnRIN8FwtbiH2hEn5VtF/n7M4vn5E
=O48G
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 28 Oct 2012 07:33:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.