Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)

[Stefano Lattarini]

On 07/13/2012 12:51 PM, Diego Elio Pettenò wrote:
> Il 13/07/2012 10:50, Stefano Lattarini ha scritto:
>> Well, I'm really disappointed that nobody reported this upstream to us;
>> our non-Debian users would have been saved from two and a half years of
>> potential vulnerability :-/
> 
> It's worth noting that I just checked and Gentoo also applies the same
> patch, for us started by
> 
> https://bugs.gentoo.org/show_bug.cgi?id=295357
> 
> The report quoted there refers to Jim who, if I'm not mistaken, works
> for RedHat, so I guess RHEL/Fedora/Centos are covered as well.
>
Ah but *that* bug (CVE-2009-4029, which affected not only "make distcheck"
but also "make dist") was fixed in Automake proper as well.  However, a
stray "chmod a+w $(distdir)" in the distcheck target was somehow missed
in the fix, and that caused CVE-2012-3386.  So these are two different
issues, not to be confused.

> So as much as I'd like to blame Debian, it's not really their fault :)
>
Looking more carefully, they fixed the (equivalent of CVE-2012-3386) for
Automake 1.4 (probably because they had to manually backport the patch
anyway, so looked for all the occurrences of "chmod 777"), but they did
*not* fix it for the more modern versions (e.g., Automake 1.11), probably
being convinced it had been solved as part of the fix for CVE-2009-4029;
so I spoke too fast and inconsiderately by accusing them so somehow
withold a security fix from upstream.

So, Debian developers: sorry for the confusion, and please accept my
apologies.

Thanks,
  Stefano