gnustandards ChangeLog standards.texi

gnustandards-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gnustandards ChangeLog standards.texi

From:	Karl Berry
Subject:	gnustandards ChangeLog standards.texi
Date:	Sat, 12 Dec 2009 00:07:07 +0000

CVSROOT:        /sources/gnustandards
Module name:    gnustandards
Changes by:     Karl Berry <karl>       09/12/12 00:07:07

Modified files:
        .              : ChangeLog standards.texi 

Log message:
        recommend 755 for distribution tarballs, CVE-2009-4029

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnustandards/ChangeLog?cvsroot=gnustandards&r1=1.101&r2=1.102
http://cvs.savannah.gnu.org/viewcvs/gnustandards/standards.texi?cvsroot=gnustandards&r1=1.189&r2=1.190

Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnustandards/gnustandards/ChangeLog,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -b -r1.101 -r1.102
--- ChangeLog   20 Nov 2009 17:45:11 -0000      1.101
+++ ChangeLog   12 Dec 2009 00:07:06 -0000      1.102
@@ -1,3 +1,11 @@
+2009-12-11  Ralf Wildenhues  <address@hidden>
+
+       Do not recommend world-writable directories in package tarballs.
+       * doc/standards.texi (Releases): Change recommended directory
+       mode to 755, include justification and refer to original text;
+       following CVE-2009-4029.
+       Report by Jim Meyering.
+
 2009-11-20  Karl Berry  <address@hidden>
 
        * standards.texi (Preface),

Index: standards.texi
===================================================================
RCS file: /sources/gnustandards/gnustandards/standards.texi,v
retrieving revision 1.189
retrieving revision 1.190
diff -u -b -r1.189 -r1.190
--- standards.texi      20 Nov 2009 17:45:11 -0000      1.189
+++ standards.texi      12 Dec 2009 00:07:06 -0000      1.190
@@ -3,7 +3,7 @@
 @setfilename standards.info
 @settitle GNU Coding Standards
 @c This date is automagically updated when you save this file:
address@hidden lastupdate November 20, 2009
address@hidden lastupdate December 11, 2009
 @c %**end of header
 
 @dircategory GNU organization
@@ -4064,13 +4064,13 @@
 distribution.  So if you do distribute non-source files, always make
 sure they are up to date when you make a new distribution.
 
-Make sure that the directory into which the distribution unpacks (as
-well as any subdirectories) are all world-writable (octal mode 777).
-This is so that old versions of @code{tar} which preserve the
-ownership and permissions of the files from the tar archive will be
-able to extract all the files even if the user is unprivileged.
-
-Make sure that all the files in the distribution are world-readable.
+Make sure that all the files in the distribution are world-readable, and
+that directories are world-readable and world-searchable (octal mode 755).
+We used to recommend that all directories in the distribution also be
+world-writable (octal mode 777), because ancient versions of @code{tar}
+would otherwise not cope when extracting the archive as an unprivileged
+user.  That can easily lead to security issues when creating the archive,
+however, so now we recommend against that.
 
 Don't include any symbolic links in the distribution itself.  If the tar
 file contains symbolic links, then people cannot even unpack it on

[Prev in Thread]

Current Thread

[Next in Thread]

gnustandards ChangeLog standards.texi, Karl Berry <=

Next by Date: gnustandards ChangeLog maintain.texi
Next by thread: gnustandards ChangeLog maintain.texi
Index(es):
- Date
- Thread