CVE-2009-4029 Automake security fix for 'make dist*'

[Ralf Wildenhues]

GNU Automake 1.11.1 as well as 1.10.3 fix a security-related race
condition that affects `make dist' and `make distcheck' for all packages
that use Automake.  Before the fix, the `distdir' target (which is used
by both `dist' and `distcheck') would first populate a directory below
the build tree with all files and directories to distribute, then change
the mode of all those directories to 777 before creating the tarball.
When the build tree is world-searchable, this allows another user on the
system a time window in which to modify files ending up in the
distribution, for example the `configure' script.  If `make distcheck'
is run, then this might result in arbitrary code execution as the
developer doing the build.

The fix that was applied is to let the `distdir' target change
directories to mode 755 only[1].  An effective workaround against the
attack vector is to remove the searchability x-bit from the toplevel
build directory (the one `configure' was run from) for other users on
the system: `chmod go-x .'.

This vulnerability impacts not only the Automake package itself, but all
packages with Automake-generated makefiles.  For an effective fix it is
necessary to regenerate Makefile.in files with a fixed Automake version.

For release branches older than branch-1-10, the respective fix has been
applied to the git tree, but there are currently no plans to produce new
official releases for them; contact us if you absolutely need to have
such a release.  This refers to the following git branches:

  branch-1-4
  branch-real-1-5
  branch-1-6
  branch-1-7
  branch-1-8
  branch-1-9

The permissive mode was originally put in place long ago to cater to old
`tar' programs that otherwise failed to extract tarballs for unprivileged
users, in accordance with GNU Coding Standards recommendations:

     Make sure that the directory into which the distribution unpacks (as
  well as any subdirectories) are all world-writable (octal mode 777).
  This is so that old versions of `tar' which preserve the ownership and
  permissions of the files from the tar archive will be able to extract
  all the files even if the user is unprivileged.

These `tar' programs are believed to be no longer relevant today, and
the GNU Coding Standards will be adjusted to reflect this.

This issue was found, analyzed, reported, and fixed by Jim Meyering.

[1] <http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html>