[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libredwg] Fwd: [gnu-prog-discuss] be sure to use latest automake (or at

From: Felipe Sanches
Subject: [libredwg] Fwd: [gnu-prog-discuss] be sure to use latest automake (or at least patched)
Date: Mon, 4 Jan 2010 00:54:47 -0200

I tried it on our current trunk and got this:

address@hidden:~$ cd devel/libredwg
address@hidden:~/devel/libredwg$ grep 'perm -777'
    -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \


---------- Forwarded message ----------
From: Jim Meyering <address@hidden>
Date: Thu, Dec 31, 2009 at 6:38 AM
Subject: [gnu-prog-discuss] be sure to use latest automake (or at least patched)
To: address@hidden

There was a nasty flaw in _every_ automake-generated
until recently[*].  When making releases, most of us who maintain
automake-using packages run "make dist" or "make distcheck".
Even if you don't, your users may.  The flaw put all of us at risk.

With a generated by unpatched automake,
if you run "make dist" in a potentially hostile environment,
you risk including arbitrary code in a tarball that you may
then sign, thinking it's a faithful copy of your working sources.
Worse, if you run "make distcheck" you risk immediate arbitrary
code execution.

Even if you are confident you never run those commands
in a vulnerable environment, you have to consider that
someone who downloads your release tarball may run them.

I mention this because some recently released packages
included files generated by unpatched automake.
To check, simply run this against the top-level

   grep 'perm -777'

If there's a match, you should get a fixed version of automake
and use it to regenerate that file.

A request to those who control the process:
please add the above check to inspect each incoming tarball, and
reject any that are vulnerable.


[*] Here's the announcement of the "make dist" CVE fix

reply via email to

[Prev in Thread] Current Thread [Next in Thread]