[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)
From: |
Eric Dorland |
Subject: |
Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!) |
Date: |
Thu, 12 Jul 2012 17:26:33 -0400 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
* Stefano Lattarini (address@hidden) wrote:
> On 07/12/2012 08:23 PM, Eric Dorland wrote:
> > * Stefano Lattarini (address@hidden) wrote:
> >> On 07/10/2012 12:14 AM, Eric Dorland wrote:
> >>>
> >>> Are older versions of automake also vulnerable?
> >>>
> >> Yes, all those back to 1.4 (at least). Sorry for not stating that
> >> explicitly.
> >
> > So I'm not obviously finding this vulnerability in automake 1.4. The
> > code has changed a lot clearly since then, but I'm not even finding a
> > chmod that looks similar. Can anyone confirm this problem is present
> > in automake 1.4?
> >
>
> ------------------
> Git Repository
> ------------------
>
> $ git clone git://git.savannah.gnu.org/automake.git
> $ cd automake
> $ git checkout Release-1-4-p6
> $ git grep -C3 'chmod 777.*distdir'
> Makefile.in-distdir: $(DISTFILES)
> Makefile.in- -rm -rf $(distdir)
> Makefile.in- mkdir $(distdir)
> Makefile.in: -chmod 777 $(distdir)
> Makefile.in- here=`cd $(top_builddir) && pwd`; \
> Makefile.in- top_distdir=`cd $(distdir) && pwd`; \
> Makefile.in- distdir=`cd $(distdir) && pwd`; \
Thanks! It looks like this was actually fixed in Debian a few years
ago as part of the CVE-2009-4029
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4029)
fix. Patch attached. You can see the source for the package at
http://anonscm.debian.org/gitweb/?p=users/eric/automake.git;a=summary. Looks
good?
--
Eric Dorland <address@hidden>
ICQ: #61138586, Jabber: address@hidden
CVE-2009-4029.diff
Description: Text Data
signature.asc
Description: Digital signature
- GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Stefano Lattarini, 2012/07/09
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Eric Dorland, 2012/07/12
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Stefano Lattarini, 2012/07/12
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!),
Eric Dorland <=
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Stefano Lattarini, 2012/07/13
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Diego Elio Pettenò, 2012/07/13
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Stefano Lattarini, 2012/07/13
- Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Eric Dorland, 2012/07/13
Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!), Dmitry V. Levin, 2012/07/10