bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make d

bug-automake

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make d

From:	Behdad Esfahbod
Subject:	bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*'
Date:	Wed, 17 Nov 2010 11:26:50 -0500
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10

Hi Ralf,

Scroll down for my comments.


On 11/13/10 03:00, Ralf Wildenhues wrote:
> [ Thanks Glenn for rerouting the bug report! ]
> 
> Hi Behdad,
> 
>> From: Behdad Esfahbod
>> Subject: On the fix for CVE-2009-4029 Automake security fix for 'make dist*'
>> Date: Thu, 11 Nov 2010 16:17:22 -0500
> 
>> I recently read about the fix for the chmod 777 issue.  Just wanted to note
>> that it may be preferred if you continue with chmod 777 and instead fix the
>> problem by moving the dist dir inside another direction that is 700.
>>
>> The reason a 777 mod in the tarball may be preferred (or 775 for that matter,
>> but not 755) is for systems that users of a group are using sticky-bit on the
>> group to share writable files with eachother.  By letting the umask decide
>> what bits should not be set you you enable such settings, whereas using 755,
>> the user expanding the tarball has to reset it to 775 or the rest of the 
>> group
>> cannot write to it.
> 
> Thanks for the bug report.  At the time we fixed this, we considered
> going this other option.  It was a fairly close call.  The downside of
> the solution you suggest was that it would complicate 'make dist' a
> little, and maybe break a few packages that rely on the exact subdir
> structure of $(distdir) being one directory below the toplevel build
> directory.  Such reliance is probably bad style anyway, but we didn't
> know of many uses that would benefit from more relaxed permission inside
> the tarball.  How useful is that for you, how come you don't use a
> version control repository rather than an extracted tarball for
> collaborative work (honest question)?
> 
> You are the first person to report this in the 12 months since we
> released fixed versions of Automake.  I don't have other data to go on
> but it thus doesn't seem to be a very wide spread issue to me, and
> there's the obvious workaround of a chmod -R after extraction, no?


When I read about the fix, this was the first thing that popped into my mind.
 I didn't actually hit this issue.

But I agree: most probably no one actually relies on the permissions being
correct right off the tarball anyway.

Cheers,
behdad

> I'm open to arguments here, but so far I'm slightly leaning toward
> keeping the current behavior.
> 
> Thanks,
> Ralf
>

[Prev in Thread]

Current Thread

[Next in Thread]

bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*', Glenn Morris, 2010/11/11
- bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*', Ralf Wildenhues, 2010/11/13
  - bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*', Behdad Esfahbod <=

Prev by Date: bug#7352: bug report
Next by Date: bug#7434: When an incorrect option is used before --help/--version, automake behaviour is inconsistent with that of other GNU programs.
Previous by thread: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*'
Next by thread: bug#7403: Unused variable `$source' in the depcomp script?
Index(es):
- Date
- Thread