bug-texinfo
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: texinfo 5.2 dist creates directories that are 777

From: Karl Berry
Subject: Re: texinfo 5.2 dist creates directories that are 777
Date: Mon, 18 Nov 2013 00:11:59 GMT 
    such unreasonably permissive file modes.  

I don't feel terribly strongly about it, but I disagree with
"unreasonably".  Anyway, I don't think I am doing anything to explicitly
change the permissions (any more), just taking whatever Automake does.

    is how came that the upload script accepted it.

Well, Sergey, you have easier access to the upload script (on puszca)
than anyone else, since the version from the FSF is never up to date.

As I recall, the checks were done by grepping the Makefile.in for
various strings, not by directly looking at permissions.

Looking at the Makefile.in (generated with automake 1.14), I see a lot
of chmod's in the dist targets, including as part of complicated find
expressions, etc., but cannot untangle it all now.  Maybe someone who
feels more strongly about it would like to spend that time.  I don't
think it has anything to with Texinfo specifically.

Related entries I see in Automake NEWS:
..
Bugs fixed in 1.12.2:
  - The 'distcheck' recipe no longer grants temporary world-write
    permissions on the extracted distdir.  Even if such rights were
    only granted for a vanishingly small time window, the implied
    race condition proved to be enough to allow a local attacker
    to run arbitrary code with the privileges of the user running
    "make distcheck".  This is CVE-2012-3386.
..
Bugs fixed in 1.11.1:
  - The distribution is tarred up with mode 755 now by the `dist*' targets.
    This fixes a race condition where untrusted users could modify files
    in the $(PACKAGE)-$(VERSION) distdir before packing if the toplevel
    build directory was world-searchable.  This is CVE-2009-4029.

karl
reply via email to
[Prev in Thread] Current Thread [Next in Thread]