automake
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)

From: Eric Dorland
Subject: Re: GNU Automake 1.11.6 released (fixes a SECURITY VULNERABILITY!)
Date: Mon, 9 Jul 2012 18:14:05 -0400
User-agent: Mutt/1.5.21 (2010-09-15) 
* Stefano Lattarini (address@hidden) wrote:
> This message announces the Automake 1.11.6 bug-fixing release.
> 
> This release FIXES A SECURITY VULNERABILITY (CVE-2012-3386), so you are
> strongly encouraged to upgrade your existing Automake installation ASAP.
> 
> With this release, the recipe of the 'distcheck' target no longer grants
> temporary world-wide write permissions on the extracted distdir.  Even if
> such rights were only granted for a vanishingly small time window, the
> implied race condition proved to be enough to allow a local attacker to
> run arbitrary code with the privileges of the user running "make distcheck".
> 
> The fix of this security vulnerability is the only change between the
> earlier 1.11.5 release and the present 1.11.6 one.
> 
> Download the fixed release here:
> 
>   ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.gz
>   ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.xz
> 
> Please report bugs and problems to <address@hidden>, and send
> general comments and feedback to <address@hidden>.
> 
> Thanks to everyone who has reported problems, contributed patches,
> and helped testing Automake!

Are older versions of automake also vulnerable?

-- 
Eric Dorland <address@hidden>
ICQ: #61138586, Jabber: address@hidden

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]