[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] maint: add a syntax-check rule to check for vulnerable Makef
From: |
Jim Meyering |
Subject: |
Re: [PATCH] maint: add a syntax-check rule to check for vulnerable Makefile.in |
Date: |
Thu, 28 Jan 2010 09:32:11 +0100 |
Eric Blake wrote:
> According to Jim Meyering on 1/27/2010 2:42 PM:
>> I've just pushed this to coreutils.
>> I propose to move the rule to gnulib's maint.mk.
>> Why? Just noticed that Fedora 11 is still using a vulnerable
>> version of automake-1.11, and that some projects don't require
>> automake-1.11.1.
>>
>> Any objections or suggestions?
>
> I like it. It lets projects stick with automake 1.10.3, or even a
> vendor-patched 1.9.6+, without falling prey to unpatched 1.10.2 or 1.11.
> coreutils, and any other package that already requires 1.11 features (like
> building configure scripts that accept --enable-silent-rules) only benefit
> by avoiding 1.11, but they can likewise do that by requiring 1.11.1. But
> packages that intend to support older automake releases definitely
> benefit, so I say move it to gnulib's maint.mk.
>
> + 'see http://bugzilla.redhat.com/542609 for details' \
>
> That bug report only lists a handful of comments to the public; are we
> missing anything in the remaining comments that were screened for security?
My initial report is in there, but it's not world-readable.
It was probably considered too explicit.
However, most of it (along with other comments not in the BZ)
ended up being published here:
http://bugs.gentoo.org/295357
There's also Ralf's announcement:
http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
I've just added a comment to the BZ with the latter link.