cpe:/a:gnu:automake:1.10.3 cpe:/a:gnu:automake:1.11.1 cpe:/a:gnu:automake:branch:1-9 CVE-2009-4029 2009-12-19T21:30:00.483-05:00 2017-09-18T21:29:54.360-04:00 4.4 LOCAL MEDIUM NONE PARTIAL PARTIAL PARTIAL http://nvd.nist.gov 2009-12-21T10:43:00.000-05:00 SUNALERT 1021784 BUGTRAQ 20101027 rPSA-2010-0071-1 automake VUPEN ADV-2009-3579 MANDRIVA MDVSA-2010:203 MLIST [automake-patches] 20091128 [PATCH] do not put world-writable directories in distribution tarballs MLIST [automake] 20091208 CVE-2009-4029 Automake security fix for 'make dist*' MLIST [automake] 20091208 GNU Automake 1.10.3 released MLIST [automake] 20091208 GNU Automake 1.11.1 released MLIST [automake] 20091208 Re: CVE-2009-4029 Automake security fix for 'make dist*' CONFIRM http://savannah.gnu.org/forum/forum.php?forum_id=6077 CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0071 The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.