[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: build: distcheck: do not leave a $TMPDIR/coreutils directory behind
From: |
Jim Meyering |
Subject: |
Re: build: distcheck: do not leave a $TMPDIR/coreutils directory behind |
Date: |
Tue, 08 Dec 2009 17:44:26 +0100 |
Jim Meyering wrote:
> FYI, I should be pushing these soon, and then making a snapshot
> within a couple hours:
>
> [PATCH 1/2] build: distcheck: do not leave a $TMPDIR/coreutils directory
> behind
aka, http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=ae034822c535fa5
Now that there's a public BZ mentioning the security impact,
http://bugzilla.redhat.com/545439, I will note that the above
change also fixes a security-related flaw. Any user running
"make distcheck" with TMPDIR unset or set to a world-writable
directory like /tmp, is vulnerable to arbitrary code execution.
So either don't run "make distcheck", with coreutils-8.1 or earlier,
or be sure that TMPDIR is not a world-writable directory.
I'll add something like the above to NEWS.