Adam Williamson wrote:
> * Deleting ALL files automatically generated or imported by
autotools in
> %prep, THEN running "autoreconf -i -f". (DO NOT trust autoreconf, it
> would NOT have done the right thing here. Delete the files, THEN run
> autoreconf.)
No. This would not have avoided the attack, because it would not have
regenerated the malicious file. We have already established that.
Just running autoreconf would not. As I wrote: "DO NOT trust autoreconf, it
would NOT have done the right thing here." Deleting the file with an
explicit rm -f in %prep, and THEN running autoreconf would have regenerated
(reimported, actually, this comes from gnulib and is copied unchanged, but
in any case it would NOT have contained the malicious additions) the file.
That said, autoreconf needs fixing too, because -f is supposed to regenerate
all files that can be regenerated, which is not happening. But if you
explicitly delete the files before running autoreconf, then it has to
regenerate them no matter what.
Kevin Kofler