[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)

From: Stefano Lattarini
Subject: Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)
Date: Fri, 13 Jul 2012 13:22:05 +0200

On 07/13/2012 12:51 PM, Diego Elio Pettenò wrote:
> Il 13/07/2012 10:50, Stefano Lattarini ha scritto:
>> Well, I'm really disappointed that nobody reported this upstream to us;
>> our non-Debian users would have been saved from two and a half years of
>> potential vulnerability :-/
> It's worth noting that I just checked and Gentoo also applies the same
> patch, for us started by
> The report quoted there refers to Jim who, if I'm not mistaken, works
> for RedHat, so I guess RHEL/Fedora/Centos are covered as well.
Ah but *that* bug (CVE-2009-4029, which affected not only "make distcheck"
but also "make dist") was fixed in Automake proper as well.  However, a
stray "chmod a+w $(distdir)" in the distcheck target was somehow missed
in the fix, and that caused CVE-2012-3386.  So these are two different
issues, not to be confused.

> So as much as I'd like to blame Debian, it's not really their fault :)
Looking more carefully, they fixed the (equivalent of CVE-2012-3386) for
Automake 1.4 (probably because they had to manually backport the patch
anyway, so looked for all the occurrences of "chmod 777"), but they did
*not* fix it for the more modern versions (e.g., Automake 1.11), probably
being convinced it had been solved as part of the fix for CVE-2009-4029;
so I spoke too fast and inconsiderately by accusing them so somehow
withold a security fix from upstream.

So, Debian developers: sorry for the confusion, and please accept my


reply via email to

[Prev in Thread] Current Thread [Next in Thread]