Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)

[Eric Dorland]

* Stefano Lattarini (address@hidden) wrote:
> On 07/13/2012 12:51 PM, Diego Elio Pettenò wrote:
> > Il 13/07/2012 10:50, Stefano Lattarini ha scritto:
> >> Well, I'm really disappointed that nobody reported this upstream to us;
> >> our non-Debian users would have been saved from two and a half years of
> >> potential vulnerability :-/
> > 
> > It's worth noting that I just checked and Gentoo also applies the same
> > patch, for us started by
> > 
> > https://bugs.gentoo.org/show_bug.cgi?id=295357
> > 
> > The report quoted there refers to Jim who, if I'm not mistaken, works
> > for RedHat, so I guess RHEL/Fedora/Centos are covered as well.
> >
> Ah but *that* bug (CVE-2009-4029, which affected not only "make distcheck"
> but also "make dist") was fixed in Automake proper as well.  However, a
> stray "chmod a+w $(distdir)" in the distcheck target was somehow missed
> in the fix, and that caused CVE-2012-3386.  So these are two different
> issues, not to be confused.
> 
> > So as much as I'd like to blame Debian, it's not really their fault :)
> >
> Looking more carefully, they fixed the (equivalent of CVE-2012-3386) for
> Automake 1.4 (probably because they had to manually backport the patch
> anyway, so looked for all the occurrences of "chmod 777"), but they did
> *not* fix it for the more modern versions (e.g., Automake 1.11), probably
> being convinced it had been solved as part of the fix for CVE-2009-4029;
> so I spoke too fast and inconsiderately by accusing them so somehow
> withold a security fix from upstream.

I didn't write the patch but I expect that's what happened.
 
> So, Debian developers: sorry for the confusion, and please accept my
> apologies.

No worries.

> Thanks,
>   Stefano
> 
> 
> 

-- 
Eric Dorland <address@hidden>
ICQ: #61138586, Jabber: address@hidden

signature.asc
Description: Digital signature