Closed Bug 542110 Opened 15 years ago Closed 15 years ago

some Makefile.in have the CVE-2009-4029 vulnerability

Categories

(Firefox Build System :: General, defect)

Product:
Firefox Build System
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: gscrivano, Unassigned)

Details

Attachments

(1 file)

The proposed fix
1.13 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.2) Gecko/20100121 IceCat/3.5.5 Firefox/3.5.5 Build Identifier: firefox 3.6 The dist or distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4029 Reproducible: Always
Attached patch The proposed fixSplinter Review
Not particuarly worrying, since those are the libffi and Breakpad makefiles, and we don't actually use the latter in our build, and we don't build tarballs using the former. Also, these are both generated files (from the Makefile.am), so patching them directly isn't likely to help things. You should probably file upstream tickets with libffi and Google Breakpad: libffi-discuss@sources.redhat.com http://code.google.com/p/google-breakpad/issues/list
it is fine to patch directly the Makefile.in file used in a distribution, it is what users use and it is fine to assume developers, when they re-create the Makefile.in, use the latest versions of their tools. There is no way to fix it directly from the Makefile.am file.
I would not assume that developers are using the latest versions of autotools. In my experience, they stick with whatever they started with until forced to change for some reason. Anyway, please file those upstream. They're not a concern for us as we don't use them, but if you get them fixed upstream we'll eventually get them when we sync up anyway.
Let's close this bug: we don't use the autotools dist rules in our tree (we use a custom install/package target), so the bug doesn't affect us.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Component: General → Build Config
QA Contact: general → build-config
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: