Announcing the release of version 4.3.7 of GNU findutils

[James Youngman]

I announce the release of version 4.3.7 of GNU findutils.

GNU findutils is a set of software tools for finding files that match
certain criteria and for performing various operations on them.
Findutils includes the programs "find", "xargs" and "locate".  More
information about findutils is available at
http://www.gnu.org/software/findutils/.

This is a "development" release of findutils.  It can be downloaded
from  ftp://alpha.gnu.org/gnu/findutils.  The 4.3.x release series is
intended to allow people to try out, comment on or contribute to new
features of findutils.  During the 4.3.x release series some features
may be introduced and then changed or removed as a result of feedback
or experience.  In short, please don't rely on backward compatibility
later in the release series.

While this is a development release, it is tested before being
released, principally with the regression test suite (run "make check"
to use it).  The Savannah website
(http://savannah.gnu.org/bugs/?group=findutils) contains a current
list of known bugs in findutils (for both the stable and development
branches).

This release includes a range of changes, including bugfixes,
documentation improvements and small functional changes.  All the
changes since the previous release are summarised below.

Bugs in GNU findutils should be reported to the findutils bug tracker
at http://savannah.gnu.org/bugs/?group=findutils.  Reporting bugs via
the web interface will ensure that you are automatically informed when
the bug has been fixed.  General discussion of findutils takes place
on the bug-findutils mailing list.  To join the 'bug-findutils'
mailing list, send email to <address@hidden>.

To verify the GPG signature of the release, you will need the public
key of the findutils maintainer, James Youngman.  You can download
this from http://savannah.gnu.org/users/jay.  Alternatively, you
could query a PGP keyserver, but you will need to use one that can
cope with subkeys containing photos.  Many older key servers cannot do
this.  I use subkeys.pgp.net.  I think that one works.  See also the
"Downloading" section of http://www.gnu.org/software/findutils/.

I would like to thank Rob Holland of Inverse Path and the members of the
bug-findutils mailing list for their help in preparing this release.

* Major changes in release 4.3.7

** Functional changes

Locate can now read old-format locate databases generated on machines
with a different byte order.  It does this by guessing the byte order,
so the result is not completely reliable.  If you need to share
databases between machines of different architectures, you should use
the LOCATE02 format (which has other advantages, as explained in the
documentation).

** Security Fixes

#20014: Findutils-4.3.7 includes a patch for a potential security
problem in locate.  When locate read an old-format database, it read
file names into a fixed-length buffer allocated on the heap without
checking for overflow.  Although overflowing a heap buffer is often
somewhat safer than overflowing a buffer on the stack, this bug still
has potential security implications.

This bug also affected the following previous findutils releases:

- All releases prior to 4.2.31
- Findutils 4.3.0 to 4.3.6.

This bug has been assigned CVE number CVE-2007-2452.

** Bug Fixes

#20128: Fix compilation error of find/tree.c on AIX with GCC.

#20005: Tests -mtime -n and -mtime +n incorrectly treated like -mtime n.

#19983: include_next causes compilation failure in findutils 4.3.6 on
non-GCC compilers

#19981: Don't call setgroups if the function isn't available.  This
fixes Savannah bug# 19981.

#19980: Don't use the functions putw() or getw() since these are not
in current POSIX.  Use the gnulib version of wcwidth() where the
system does not provide it.

#19979: Compilation errors on BeOS

#19970: Cannot cast from pointer to bool using gnulib's <stdbool.h>

#19967: Use of __attribute((__noreturn__)) makes compilation fail with
some non-GCC compilers

#19966: find should link against -lm for modf() and fabs()

#19965: Compilation failure on OSF/1 4.0; non-declaration of uintmax_t

#19948: Assertion failure O_NOFOLLOW != 0 on IRIX 6.5

#19871: Typos in find.1

#19596: Fixed this bug again, this time in the Texinfo manual (the
discussion should compare %b with %s/512, not %s/1024).

#19416: _FORTIFY_SOURCE warn_unused_result warnings


--
James Youngman <address@hidden>
GNU findutils maintainer