caution: avoid unpatched automake [CVE-2009-4029]
Jim Meyering
jim at meyering.net
Wed Feb 10 10:12:35 UTC 2010
Jim Meyering wrote:
> There was a nasty flaw in _every_ automake-generated Makefile.in
> until recently[*]. When making releases, most of us who maintain
To clarify, the vulnerability affects the "distdir" commands
that appear only in so-called top-level Makefile.in files.
Note however, that some packages include sub-packages, so it's not
enough to search the Makefile.in file in the top-level directory.
> automake-using packages run "make dist" or "make distcheck".
> Even if you don't, your users may. The flaw put all of us at risk.
...
That's why this command searches all Makefile.in files:
> tar --to-stdout -x -f $tgz '*/Makefile.in' | grep -e '-perm -777 '
More information about the devel
mailing list