---------- Forwarded message ----------
From:
Jim Meyering <address@hidden>
Date: Thu, Dec 31, 2009 at 6:38 AM
Subject: [gnu-prog-discuss] be sure to use latest automake (or at least patched)
To:
address@hiddenThere was a nasty flaw in _every_ automake-generated Makefile.in
until recently[*]. When making releases, most of us who maintain
automake-using packages run "make dist" or "make distcheck".
Even if you don't, your users may. The flaw put all of us at risk.
With a Makefile.in generated by unpatched automake,
if you run "make dist" in a potentially hostile environment,
you risk including arbitrary code in a tarball that you may
then sign, thinking it's a faithful copy of your working sources.
Worse, if you run "make distcheck" you risk immediate arbitrary
code execution.
Even if you are confident you never run those commands
in a vulnerable environment, you have to consider that
someone who downloads your release tarball may run them.
I mention this because some recently released packages
included Makefile.in files generated by unpatched automake.
To check, simply run this against the top-level Makefile.in:
grep 'perm -777' Makefile.in
If there's a match, you should get a fixed version of automake
and use it to regenerate that file.
A request to those who control the
upload-to-ftp.gnu.org process:
please add the above check to inspect each incoming tarball, and
reject any that are vulnerable.
Jim
[*] Here's the announcement of the "make dist" CVE fix
http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131