caution: avoid unpatched automake [CVE-2009-4029]
Jon Masters
jonathan at jonmasters.org
Wed Feb 10 10:07:33 UTC 2010
On Wed, 2010-02-10 at 10:58 +0100, Jim Meyering wrote:
> There was a nasty flaw in _every_ automake-generated Makefile.in
> until recently[*]. When making releases, most of us who maintain
> automake-using packages run "make dist" or "make distcheck".
> Even if you don't, your users may. The flaw put all of us at risk.
I disagree that it's as critical as you make out - sure it needs fixing.
To exploit this, you have to build within a directory path that is going
to be writeable (i.e. have a world readable home directory and build in
there directly), and be using a shared system on which you don't trust
your users. In the latter case, it's often game over anyway.
umask is your friend.
Jon.
More information about the devel
mailing list