Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)

[Stefano Lattarini]

On 07/12/2012 08:23 PM, Eric Dorland wrote:
> * Stefano Lattarini (address@hidden) wrote:
>> On 07/10/2012 12:14 AM, Eric Dorland wrote:
>>>
>>> Are older versions of automake also vulnerable?
>>>
>> Yes, all those back to 1.4 (at least).  Sorry for not stating that
>> explicitly.
> 
> So I'm not obviously finding this vulnerability in automake 1.4. The
> code has changed a lot clearly since then, but I'm not even finding a
> chmod that looks similar. Can anyone confirm this problem is present
> in automake 1.4?
> 

------------------
  Git Repository
------------------

$ git clone git://git.savannah.gnu.org/automake.git
$ cd automake
$ git checkout Release-1-4-p6
$ git grep -C3 'chmod 777.*distdir'
Makefile.in-distdir: $(DISTFILES)
Makefile.in-    -rm -rf $(distdir)
Makefile.in-    mkdir $(distdir)
Makefile.in:    -chmod 777 $(distdir)
Makefile.in-    here=`cd $(top_builddir) && pwd`; \
Makefile.in-    top_distdir=`cd $(distdir) && pwd`; \
Makefile.in-    distdir=`cd $(distdir) && pwd`; \
--
Makefile.in-        test -d $(distdir)/$$subdir \
Makefile.in-        || mkdir $(distdir)/$$subdir \
Makefile.in-        || exit 1; \
Makefile.in:        chmod 777 $(distdir)/$$subdir; \
Makefile.in-        (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) 
top_distdir=../$(distdir) distdir=../$(distdir)/$$sub
Makefile.in-          || exit 1; \
Makefile.in-      fi; \
--
automake.in-    # Create dist directory.
automake.in-    $output_rules .= ("\t-rm -rf \$(distdir)\n"
automake.in-                      . "\tmkdir \$(distdir)\n"
automake.in:                      . "\t-chmod 777 \$(distdir)\n");
automake.in-    }
automake.in-
automake.in-    # Only run automake in `dist' target if --include-deps and
--
automake.in-         . "\t" . '    test -d $(distdir)/$$subdir ' . "\\\n"
automake.in-         . "\t" . '    || mkdir $(distdir)/$$subdir ' . "\\\n"
automake.in-         . "\t" . '    || exit 1; ' . "\\\n"
automake.in:         . "\t" . '    chmod 777 $(distdir)/$$subdir; ' . "\\\n"
automake.in-         . "\t" . '    (cd $$subdir'
automake.in-         . ' && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$('
automake.in-         . (($relative_dir eq '.') ? 'distdir' : 'top_distdir')

------------------------
  Distribution Tarball
------------------------

$ wget http://ftp.gnu.org/gnu/automake/automake-1.4-p6.tar.gz
$ tar xaf automake-1.4-p6.tar.gz
$ cd automake-1.4-p6
$ grep -r -C3 'chmod 777.*distdir'
Makefile.in-distdir: $(DISTFILES)
Makefile.in-    -rm -rf $(distdir)
Makefile.in-    mkdir $(distdir)
Makefile.in:    -chmod 777 $(distdir)
Makefile.in-    @for file in $(DISTFILES); do \
Makefile.in-      d=$(srcdir); \
Makefile.in-      if test -d $$d/$$file; then \
--
Makefile.in-        test -d $(distdir)/$$subdir \
Makefile.in-        || mkdir $(distdir)/$$subdir \
Makefile.in-        || exit 1; \
Makefile.in:        chmod 777 $(distdir)/$$subdir; \
Makefile.in-        (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) 
top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
Makefile.in-          || exit 1; \
Makefile.in-      fi; \
--
automake.in-    # Create dist directory.
automake.in-    $output_rules .= ("\t-rm -rf \$(distdir)\n"
automake.in-                      . "\tmkdir \$(distdir)\n"
automake.in:                      . "\t-chmod 777 \$(distdir)\n");
automake.in-    }
automake.in-
automake.in-    # Only run automake in `dist' target if --include-deps and
--
automake.in-         . "\t" . '    test -d $(distdir)/$$subdir ' . "\\\n"
automake.in-         . "\t" . '    || mkdir $(distdir)/$$subdir ' . "\\\n"
automake.in-         . "\t" . '    || exit 1; ' . "\\\n"
automake.in:         . "\t" . '    chmod 777 $(distdir)/$$subdir; ' . "\\\n"
automake.in-         . "\t" . '    (cd $$subdir'
automake.in-         . ' && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$('
automake.in-         . (($relative_dir eq '.') ? 'distdir' : 'top_distdir')

HTH,
  Stefano