automake
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)


From: Eric Dorland
Subject: Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)
Date: Thu, 12 Jul 2012 17:26:33 -0400
User-agent: Mutt/1.5.21 (2010-09-15)

* Stefano Lattarini (address@hidden) wrote:
> On 07/12/2012 08:23 PM, Eric Dorland wrote:
> > * Stefano Lattarini (address@hidden) wrote:
> >> On 07/10/2012 12:14 AM, Eric Dorland wrote:
> >>>
> >>> Are older versions of automake also vulnerable?
> >>>
> >> Yes, all those back to 1.4 (at least).  Sorry for not stating that
> >> explicitly.
> > 
> > So I'm not obviously finding this vulnerability in automake 1.4. The
> > code has changed a lot clearly since then, but I'm not even finding a
> > chmod that looks similar. Can anyone confirm this problem is present
> > in automake 1.4?
> > 
> 
> ------------------
>   Git Repository
> ------------------
> 
> $ git clone git://git.savannah.gnu.org/automake.git
> $ cd automake
> $ git checkout Release-1-4-p6
> $ git grep -C3 'chmod 777.*distdir'
> Makefile.in-distdir: $(DISTFILES)
> Makefile.in-    -rm -rf $(distdir)
> Makefile.in-    mkdir $(distdir)
> Makefile.in:    -chmod 777 $(distdir)
> Makefile.in-    here=`cd $(top_builddir) && pwd`; \
> Makefile.in-    top_distdir=`cd $(distdir) && pwd`; \
> Makefile.in-    distdir=`cd $(distdir) && pwd`; \

Thanks! It looks like this was actually fixed in Debian a few years
ago as part of the CVE-2009-4029
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4029)
fix. Patch attached. You can see the source for the package at
http://anonscm.debian.org/gitweb/?p=users/eric/automake.git;a=summary. Looks
good?

-- 
Eric Dorland <address@hidden>
ICQ: #61138586, Jabber: address@hidden

Attachment: CVE-2009-4029.diff
Description: Text Data

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]