m4-1.4.11 released

From: Eric Blake
Subject: m4-1.4.11 released
Date: Wed, 02 Apr 2008 07:31:44 -0600
The GNU M4 team is proud to announce the release of M4 1.4.11, intended to
be the last release in the stable 1.4.x series.  This release primarily
exists to patch some portability and security problems identified in 1.4.10.

In the time since 1.4.10 was released, there has also been a beta release
M4 1.4.10b, which contains many additional fixes (primarily optimizations)
that were intentionally omitted from M4 1.4.11.  The decision was made
that M4 1.4.10b had enough changes that it would instead be used as the
starting point of a new 1.6.x stable release series.

Here are the compressed sources:
~   (1.2MB)
~   (908KB)
~   (684KB)

Here are the xdelta diffs (useful? if so, please tell address@hidden):
~   (176KB)

Here are the GPG detached signatures[*]:

Here are the MD5 and SHA1 checksums:

988aa098326d5f2b5b5aa4b3efe8d528  m4-1.4.11.tar.gz
96ec473c2a6f203976c028e896a01b28  m4-1.4.11.tar.bz2
084c6f5e3e091f71100541debc5c95d8  m4-1.4.11.tar.lzma
13e395a395f4a1690127760713154e47  m4-1.4.10-1.4.11.xdelta
4d6b7f6344faee39f55af397c25f3e7ad13b6fcb  m4-1.4.11.tar.gz
25069c7d6c6861cbaf36d1b5a3a5876c1ac55584  m4-1.4.11.tar.bz2
dd24f8a740e6ec673ec3d0d8f42bc08509e53655  m4-1.4.11.tar.lzma
9e653584340083865b85697a4bdfec2dda927736  m4-1.4.10-1.4.11.xdelta

[*] You can use either of the above signature files to verify that
the corresponding file (without the .sig suffix) is intact.  First,
be sure to download both the .sig file and the corresponding tarball.
Then, run a command like this:

~  gpg --verify m4-1.4.11.tar.gz.sig

If that command fails because you don't have the required public key,
then run this command to import it:

~  gpg --keyserver --recv-keys F4850180

and rerun the `gpg --verify' command.

This release was bootstrapped with the following tools:
~  Autoconf 2.61
~  Automake 1.10.1
~  Gnulib v0.0-433-g2ada70a


* Noteworthy changes in Version 1.4.11 (2008-04-02) [stable]
~  Released by Eric Blake, based on git version 1.4.10a

** Security fixes for the -F option, for bugs present since -F was
~   introduced in 1.3: Avoid core dump with 'm4 -F file -t undefined', and
~   avoid arbitrary code execution with certain file names.

** Fix regression introduced in 1.4.9b in the `divert' builtin when more
~   than 512 kibibytes are saved in diversions on platforms like NetBSD
~   or darwin where fopen(name,"a+") seeks to the end of the file.

** The output of the `maketemp' and `mkstemp' builtins is now quoted if a
~   file was created.  This is a minor security fix, because it was possible
~   (although rather unlikely) that an unquoted string could match an
~   existing macro name, such that use of the `mkstemp' output would trigger
~   inadvertent macro expansion and operate on the wrong file name.

** Enhance the `defn' builtin to support concatenation of multiple text
~   arguments, as required by POSIX.  However, at this time, it is not
~   possible to concatenate a builtin macro with anything else; a warning is
~   now issued if this is attempted, although a future version of M4 may
~   lift this restriction to match other implementations.

** Enhance the `format' builtin to parse all C99 floating point numbers,
~   even on platforms where strtod(3) is buggy, although the replacement
~   function does have the known issue of rounding errors when parsing
~   some decimal floating point values.  This fixes testsuite failures
~   introduced in 1.4.9b.

** Enhance the `index' builtin to guarantee linear behavior, in spite of
~   the surprisingly large number of systems with a brain-dead quadratic
~   strstr(3).

** A number of portability improvements inherited from gnulib.

