Vulnerability Details : CVE-2009-4029
The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
Exploit prediction scoring system (EPSS) score for CVE-2009-4029
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-4029
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST |
CWE ids for CVE-2009-4029
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-4029
-
Red Hat 2010-03-31Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4029 This issue was addressed in the automake, automake14, automake15, automake16 and automake17 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0321.html The Red Hat Security Response Team has rated this issue as having low security impact, theres no plan to address this flaw in automake packages in Red Hat Enterprise Linux 3 and 4.
-
http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html
-
http://savannah.gnu.org/forum/forum.php?forum_id=6077
-
http://www.vupen.com/english/advisories/2009/3579
-
http://www.securityfocus.com/archive/1/514526/100/0/threaded
-
http://lists.gnu.org/archive/html/automake/2009-12/msg00013.html
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11717
-
http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html
Patch
-
http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html
Exploit
-
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0071
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:203
-
http://lists.gnu.org/archive/html/automake/2009-12/msg00011.html
-
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021784.1-1
- cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:branch:1-9:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*