• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Record Created
20000216 Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20000216)
Votes (Legacy)
ACCEPT(3) Bishop, Blake, Levy
MODIFY(1) Frech
NOOP(3) Baker, Cole, LeBlanc
REJECT(1) Christey
Comments (Legacy)
 Frech> XF:gnu-makefile-tmp-root
   (We have made assignment to two CANs. Requesting confirmation that this is
   not a duplicate of CVE-2000-0092: The BSD make program allows local users to
   modify files via a symlink attack when the -j option is being used.)
 Christey> To confirm Andre's question, this is being treated as
   different from CVE-2000-0092, based largely on the fact
   that the exploit is different.  I believe there was
   another reason for keeping these distinct, but that
   "deeper analysis" was not recorded :-(  While it's possible
   that this is the same bug from some common version of make,
   in the absence of other information we should probably
   keep these two split.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> Taking a fresh look at the diff's for FreeBSD make:
   And Debian make:
   OK... now that I've hurt my brain looking at the code, while
   there are major differences in the surrounding code,
   ultimately both FreeBSD and Debian create an "outfile" file
   descriptor for the temporary file, within main() in main.c.
   In addition, child_execute_job() in job.c uses an outfile
   variable - for both sources.
   Perhaps FreeBSD reported the -j problem without seeing that it
   could come in from stdin as well, and/or Debian/etc. didn't realize
   that it was exploitable from job control, or maybe a combination of
   the two.  Regardless, the two problems are the same.
   Phew!  There goes a half-hour of my life that I'll never be
   able to get back...

Proposed (Legacy)
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.