[libvirt] FYI: CVE-2012-3386 - vulnerability of 'make distcheck'

Eric Blake eblake at redhat.com
Mon Jul 9 16:42:10 UTC 2012

Libvirt is vulnerable to an automake security hole; anyone that runs
'make distcheck' on any existing libvirt release tarball risks a local
exploit that can take advantage of world-writable permissions to inject
the operation of attacker-controlled code under the capabilities of the
developer testing the package.  This security hole can be mitigated by
either avoiding the use of 'make distcheck', or by setting a restrictive
umask (such as 022) before running 'make distcheck'.

Since few people beyond developers tend to run 'make distcheck', I'm not
too worried about pushing out a new libvirt tarball any sooner than the
regular release cycle.  But we should definitely upgrade to the latest
gnulib (it adds a syntax check to validate whether the 	vulnerability
still exists), and ensure that the release of libvirt 0.10.0, as well as
the next maintenance releases of v0.9.{6,11}-maint, have been built with
patched automake.

Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120709/b7891d5e/attachment-0001.sig>

More information about the libvir-list mailing list