[Secure-testing-commits] r14048 - data/CVE

[Michael Gilbert]

Author: gilbert-guest
Date: 2010-02-06 23:18:31 +0000 (Sat, 06 Feb 2010)
New Revision: 14048

Modified:
   data/CVE/list
Log:
consider automake issue unimportant

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-02-06 22:20:23 UTC (rev 14047)
+++ data/CVE/list	2010-02-06 23:18:31 UTC (rev 14048)
@@ -2814,16 +2814,18 @@
 	- mysql-dfsg-5.0 <removed>
 	TODO: check
 CVE-2009-4029 (The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, ...)
-	- automake 1:1.11-1
-	[lenny] - automake <no-dsa> (Minor issue)
-	- automake1.9 <unfixed>
-	[lenny] - automake1.9 <no-dsa> (Minor issue)
-	- automake1.7 <unfixed>
-	[lenny] - automake1.7 <no-dsa> (Minor issue)
-	- automake1.10 <unfixed>
-	[lenny] - automake1.10 <no-dsa> (Minor issue)
-	NOTE: it also affects every Makefile.in generated by automake
-	NOTE: but it doesn't really affect Debian
+	- automake 1:1.11-1 (unimportant)
+	- automake1.9 <unfixed> (unimportant)
+	- automake1.7 <unfixed> (unimportant)
+	- automake1.10 <unfixed> (unimportant)
+	NOTE: for this to be exploited, an attacker needs to have account on the same
+	NOTE: system as the developer building the package, and that attacker needs to
+	NOTE: insert malicious data into the vulnerable directory in a small time frame.
+	NOTE: theoretically it may be possible, but it is highly unlikely, so this is
+	NOTE: being considered unimportant.
+	NOTE: for the paranoid, the only proper solution would be to rebuild the entire
+	NOTE: archive with a patched version of automake and enforce that all
+	NOTE: developers use a patched automake.
 	NOTE: http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html
 CVE-2009-4028 (The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x ...)
 	- mysql-dfsg-5.1 5.1.41-1