[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gnustandards ChangeLog standards.texi
From: |
Karl Berry |
Subject: |
gnustandards ChangeLog standards.texi |
Date: |
Sat, 12 Dec 2009 00:07:07 +0000 |
CVSROOT: /sources/gnustandards
Module name: gnustandards
Changes by: Karl Berry <karl> 09/12/12 00:07:07
Modified files:
. : ChangeLog standards.texi
Log message:
recommend 755 for distribution tarballs, CVE-2009-4029
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnustandards/ChangeLog?cvsroot=gnustandards&r1=1.101&r2=1.102
http://cvs.savannah.gnu.org/viewcvs/gnustandards/standards.texi?cvsroot=gnustandards&r1=1.189&r2=1.190
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnustandards/gnustandards/ChangeLog,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -b -r1.101 -r1.102
--- ChangeLog 20 Nov 2009 17:45:11 -0000 1.101
+++ ChangeLog 12 Dec 2009 00:07:06 -0000 1.102
@@ -1,3 +1,11 @@
+2009-12-11 Ralf Wildenhues <address@hidden>
+
+ Do not recommend world-writable directories in package tarballs.
+ * doc/standards.texi (Releases): Change recommended directory
+ mode to 755, include justification and refer to original text;
+ following CVE-2009-4029.
+ Report by Jim Meyering.
+
2009-11-20 Karl Berry <address@hidden>
* standards.texi (Preface),
Index: standards.texi
===================================================================
RCS file: /sources/gnustandards/gnustandards/standards.texi,v
retrieving revision 1.189
retrieving revision 1.190
diff -u -b -r1.189 -r1.190
--- standards.texi 20 Nov 2009 17:45:11 -0000 1.189
+++ standards.texi 12 Dec 2009 00:07:06 -0000 1.190
@@ -3,7 +3,7 @@
@setfilename standards.info
@settitle GNU Coding Standards
@c This date is automagically updated when you save this file:
address@hidden lastupdate November 20, 2009
address@hidden lastupdate December 11, 2009
@c %**end of header
@dircategory GNU organization
@@ -4064,13 +4064,13 @@
distribution. So if you do distribute non-source files, always make
sure they are up to date when you make a new distribution.
-Make sure that the directory into which the distribution unpacks (as
-well as any subdirectories) are all world-writable (octal mode 777).
-This is so that old versions of @code{tar} which preserve the
-ownership and permissions of the files from the tar archive will be
-able to extract all the files even if the user is unprivileged.
-
-Make sure that all the files in the distribution are world-readable.
+Make sure that all the files in the distribution are world-readable, and
+that directories are world-readable and world-searchable (octal mode 755).
+We used to recommend that all directories in the distribution also be
+world-writable (octal mode 777), because ancient versions of @code{tar}
+would otherwise not cope when extracting the archive as an unprivileged
+user. That can easily lead to security issues when creating the archive,
+however, so now we recommend against that.
Don't include any symbolic links in the distribution itself. If the tar
file contains symbolic links, then people cannot even unpack it on
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- gnustandards ChangeLog standards.texi,
Karl Berry <=