[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] FYI: CVE-2012-3386 - vulnerability of 'make distcheck'



Libvirt is vulnerable to an automake security hole; anyone that runs
'make distcheck' on any existing libvirt release tarball risks a local
exploit that can take advantage of world-writable permissions to inject
the operation of attacker-controlled code under the capabilities of the
developer testing the package.  This security hole can be mitigated by
either avoiding the use of 'make distcheck', or by setting a restrictive
umask (such as 022) before running 'make distcheck'.

Since few people beyond developers tend to run 'make distcheck', I'm not
too worried about pushing out a new libvirt tarball any sooner than the
regular release cycle.  But we should definitely upgrade to the latest
gnulib (it adds a syntax check to validate whether the 	vulnerability
still exists), and ensure that the release of libvirt 0.10.0, as well as
the next maintenance releases of v0.9.{6,11}-maint, have been built with
patched automake.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]