[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gnustandards ChangeLog standards.texi

From: Karl Berry
Subject: gnustandards ChangeLog standards.texi
Date: Sat, 12 Dec 2009 00:07:07 +0000

CVSROOT:        /sources/gnustandards
Module name:    gnustandards
Changes by:     Karl Berry <karl>       09/12/12 00:07:07

Modified files:
        .              : ChangeLog standards.texi 

Log message:
        recommend 755 for distribution tarballs, CVE-2009-4029


Index: ChangeLog
RCS file: /sources/gnustandards/gnustandards/ChangeLog,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -b -r1.101 -r1.102
--- ChangeLog   20 Nov 2009 17:45:11 -0000      1.101
+++ ChangeLog   12 Dec 2009 00:07:06 -0000      1.102
@@ -1,3 +1,11 @@
+2009-12-11  Ralf Wildenhues  <address@hidden>
+       Do not recommend world-writable directories in package tarballs.
+       * doc/standards.texi (Releases): Change recommended directory
+       mode to 755, include justification and refer to original text;
+       following CVE-2009-4029.
+       Report by Jim Meyering.
 2009-11-20  Karl Berry  <address@hidden>
        * standards.texi (Preface),

Index: standards.texi
RCS file: /sources/gnustandards/gnustandards/standards.texi,v
retrieving revision 1.189
retrieving revision 1.190
diff -u -b -r1.189 -r1.190
--- standards.texi      20 Nov 2009 17:45:11 -0000      1.189
+++ standards.texi      12 Dec 2009 00:07:06 -0000      1.190
@@ -3,7 +3,7 @@
 @settitle GNU Coding Standards
 @c This date is automagically updated when you save this file:
address@hidden lastupdate November 20, 2009
address@hidden lastupdate December 11, 2009
 @c %**end of header
 @dircategory GNU organization
@@ -4064,13 +4064,13 @@
 distribution.  So if you do distribute non-source files, always make
 sure they are up to date when you make a new distribution.
-Make sure that the directory into which the distribution unpacks (as
-well as any subdirectories) are all world-writable (octal mode 777).
-This is so that old versions of @code{tar} which preserve the
-ownership and permissions of the files from the tar archive will be
-able to extract all the files even if the user is unprivileged.
-Make sure that all the files in the distribution are world-readable.
+Make sure that all the files in the distribution are world-readable, and
+that directories are world-readable and world-searchable (octal mode 755).
+We used to recommend that all directories in the distribution also be
+world-writable (octal mode 777), because ancient versions of @code{tar}
+would otherwise not cope when extracting the archive as an unprivileged
+user.  That can easily lead to security issues when creating the archive,
+however, so now we recommend against that.
 Don't include any symbolic links in the distribution itself.  If the tar
 file contains symbolic links, then people cannot even unpack it on

reply via email to

[Prev in Thread] Current Thread [Next in Thread]