Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)

[Stefano Lattarini]

On 07/10/2012 12:40 AM, Eric Dorland wrote:
> * Stefano Lattarini (address@hidden) wrote:
>> On 07/10/2012 12:14 AM, Eric Dorland wrote:
>>> 
>>> Are older versions of automake also vulnerable?
>>> 
>> Yes, all those back to 1.4 (at least).  Sorry for not stating that 
>> explicitly.
> 
> Awesome :) Is there a diff or git commit I can look at to start the 
> backporting.
> 
See the attachment to:
<http://lists.gnu.org/archive/html/automake/2012-07/msg00023.html>

Not sure how well that will work with older Automake releases though; while
ploughing through the 1.4 and 1.5 releases, I remember seeing several scary
"chmod -R a+w ..." as well as "chmod 777 ..." commands.  You might want to
do a more sweeping audit of those older releases if you want to actually
(try to) secure them.

> I just happen to be at DebConf this week so the timing is pretty good.
> 
Well, good work then (and as an happy Debian user I might add: keep up the
good work :-)

Regards,
  Stefano