[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!)

From: Stefano Lattarini
Subject: GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!)
Date: Mon, 09 Jul 2012 18:14:15 +0200

We are pleased to announce the Automake 1.12.2 maintenance release.

This release FIXES A SECURITY VULNERABILITY (CVE-2012-3386; see the
NEWS excerpt below for details), so you are strongly encouraged to
upgrade your existing Automake installation ASAP.

See below for the detailed list of changes since Automake 1.12.1, as
summarized by the NEWS file.

Download here:

Please report bugs and problems to <address@hidden>, and send
general comments and feedback to <address@hidden>.

Thanks to everyone who has reported problems, contributed patches,
and helped testing Automake!


New in 1.12.2:

* Warnings and deprecations:

  - Automake now issues a warning (in the 'portability' category) if
    '' is used instead of '' as the Autoconf
    input file.  Such a warning will also be present in the next
    Autoconf version (2.70).

* Cleaning rules:

  - Recursive cleaning rules descends into the $(SUBDIRS) in the natural
    order (as done by the other recursive rules), rather than in the
    inverse order.  They used to do that in order to work a round a
    limitation in an older implementation of the automatic dependency
    tracking support, but that limitation had been lifted years ago
    already, when the automatic dependency tracking based on side-effects
    of compilation had been introduced.

  - Cleaning rules for compiled objects (both "plain" and libtool) work
    better when subdir objects are involved, not triggering a distinct
    'rm' invocation for each such object.  They do so by removing *any*
    compiled object file that is in the same directory of a subdir
    object.  See automake bug#10697.

* Silent rules support:

  - A new predefined $(AM_V_P) make variable is provided; it expands
    to a shell conditional that can be used in recipes to know whether
    make is being run in silent or verbose mode.

Bugs fixed in 1.12.2:


  - The recipe of the 'distcheck' no longer grants anymore temporary
    world-wide write permissions on the extracted distdir.  Even if such
    rights were only granted for a vanishingly small time window, the
    implied race condition proved to be enough to allow a local attacker
    to run arbitrary code with the privileges of the user running "make
    distcheck".  This is CVE-2012-3386.

* Long-standing bugs:

  - The "recheck" targets behaves better in the face of build failures
    related to previously failed tests.  For example, if a test is a
    compiled program that must be rerun by "make recheck", and its
    compilation fails, it will still be rerun by further "make recheck"
    invocations.  See automake bug#11791.

* Bugs introduced by 1.12.1:

  - Automake provides once again the '$(mkdir_p)' make variable and the
    '@mkdir_p@' substitution (both as simple aliases for '$(MKDIR_P)'),
    for better backward-compatibility.


* WARNING: Future backward-incompatibilities!

  - Future versions of Automake will likely drop support for the
    long-deprecated '' name for the Autoconf input file.
    You are advised to use the recommended name '' instead.

  - The long-obsolete (since automake 1.10) AM_PROG_MKDIR m4 macro will
    be removed in Automake 1.13.  The $(mkdir_p) make variable and the
    @mkdir_p@ substitution will still remain available (as aliases of
    $(MKDIR_P)) for the moment, for better backward compatibility.

  - Autoconf 2.65 or later will be required by the next major Automake
    version (1.13).  Until now, Automake has required Autoconf version
    2.62 or later.

  - Starting from the next major Automake version (1.13), the rules
    to build pdf, ps and dvi output from Texinfo input will use the
    '--build-dir' option by default.  Since such an option was only
    introduced in Texinfo 4.9, this means that Makefiles generated by
    future Automake versions will require at least that version of

  - Starting from the next major Automake version (1.13), the parallel
    testsuite harness (previously only enabled by the 'parallel-tests'
    option) will become the default one; the older serial testsuite
    harness will still be available through the use of the 'serial-tests'

  - The following long-obsolete m4 macros will be removed in the
    next major Automake version (1.13):

      AM_PROG_CC_STDC:    superseded by AC_PROG_CC since October 2002
      fp_PROG_CC_STDC:    broken alias for AM_PROG_CC_STDC
      fp_WITH_DMALLOC:    old alias for AM_WITH_DMALLOC
      AM_CONFIG_HEADER:   superseded by AC_CONFIG_HEADERS since July 2002
      ud_PATH_LISPDIR:    old alias for AM_PATH_LISPDIR
      ud_GNU_GETTEXT:     old alias for AM_GNU_GETTEXT
      gm_PROG_LIBTOOL:    old alias for AC_PROG_LIBTOOL
      fp_C_PROTOTYPES:    old alias for AM_C_PROTOTYPES (which was part
                          of the now-removed automatic de-ANSI-fication
                          support of Automake)

  - All the "old alias" macros in 'm4/obsolete.m4' will be removed in
    the next major Automake version (1.13).

  - Support for the two- and three-arguments invocation forms of the
    AM_INIT_AUTOMAKE macro is deprecated, and will be removed in the
    next major Automake version (1.13).

  - The '--acdir' option of aclocal is deprecated, and will probably
    be removed in the next major Automake release (1.13).  You should
    use the options '--automake-acdir' and '--system-acdir' instead
    (which have been introduced in Automake 1.11.2).

  - The exact order in which the directories in the aclocal macro
    search path are looked up is probably going to be changed in the
    next Automake release (1.13).

  - The 'missing' script will not try anymore to update the timestamp
    of out-of-date files that require a maintainer-specific tool to be
    remade, in case the user lacks such a tool (or has a too-old version
    of it).  In fact, starting from Automake 1.13, all it'll do will be
    giving more useful warnings than a bare "command not found" from a
    make recipe would.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]