---------- Forwarded message ----------
From: Jim Meyering <address@hidden>
Date: Thu, Dec 31, 2009 at 6:38 AM
Subject: [gnu-prog-discuss] be sure to use latest automake (or at least patched)
There was a nasty flaw in _every_ automake-generated Makefile.in
until recently[*]. When making releases, most of us who maintain
automake-using packages run "make dist" or "make distcheck".
Even if you don't, your users may. The flaw put all of us at risk.
With a Makefile.in generated by unpatched automake,
if you run "make dist" in a potentially hostile environment,
you risk including arbitrary code in a tarball that you may
then sign, thinking it's a faithful copy of your working sources.
Worse, if you run "make distcheck" you risk immediate arbitrary
Even if you are confident you never run those commands
in a vulnerable environment, you have to consider that
someone who downloads your release tarball may run them.
I mention this because some recently released packages
included Makefile.in files generated by unpatched automake.
To check, simply run this against the top-level Makefile.in:
grep 'perm -777' Makefile.in
If there's a match, you should get a fixed version of automake
and use it to regenerate that file.
A request to those who control the upload-to-ftp.gnu.org
please add the above check to inspect each incoming tarball, and
reject any that are vulnerable.
[*] Here's the announcement of the "make dist" CVE fix