Vulnerability Details : CVE-2012-3386
The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
Vulnerability category: Execute code
Products affected by CVE-2012-3386
- cpe:2.3:a:gnu:automake:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:p5:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:p4:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:p1:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.10.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:p3:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:p2:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.4:p6:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:automake:1.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-3386
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3386
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST |
CWE ids for CVE-2012-3386
-
Assigned by: nvd@nist.gov (Primary)
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3386
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087665.html
[SECURITY] Fedora 16 Update: automake-1.11.6-1.fc16
-
http://git.savannah.gnu.org/cgit/automake.git/commit/?id=784b3e6ccc7c72a1c95c340cbbe8897d6b689d76
automake.git - GNU AutomakeExploit;Patch
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087538.html
[SECURITY] Fedora 17 Update: automake-1.11.6-1.fc17
-
https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html
CVE-2012-3386 Automake security fix for 'make distcheck'Patch
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:103
mandriva.com
-
https://lists.gnu.org/archive/html/automake/2012-07/msg00021.html
GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)Patch
-
http://rhn.redhat.com/errata/RHSA-2013-0526.html
RHSA-2013:0526 - Security Advisory - Red Hat Customer Portal
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089187.html
[SECURITY] Fedora 17 Update: automake17-1.7.9-16.fc17
-
https://lists.gnu.org/archive/html/automake/2012-07/msg00022.html
GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!)Patch
-
http://lists.opensuse.org/opensuse-updates/2012-11/msg00038.html
openSUSE-SU-2012:1519-1: automake: fixed a race condition
Jump to