[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Automake-commit] [SCM] GNU Automake branch, branch-1-8, updated. Releas
|
From: |
Ralf Wildenhues |
|
Subject: |
[Automake-commit] [SCM] GNU Automake branch, branch-1-8, updated. Release-1-8-5-7-gc17a55f |
|
Date: |
Tue, 08 Dec 2009 22:12:27 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Automake".
http://git.sv.gnu.org/gitweb/?p=automake.git;a=commitdiff;h=c17a55f8da2be1b8be37f723d4ad170c837ad436
The branch, branch-1-8 has been updated
via c17a55f8da2be1b8be37f723d4ad170c837ad436 (commit)
via 4331fc7423036e68a9e480fb0ff56934b5d2be0e (commit)
from 50ab5cf48233d9148318d3bfac2b896d7d936abb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c17a55f8da2be1b8be37f723d4ad170c837ad436
Author: Ralf Wildenhues <address@hidden>
Date: Tue Dec 8 22:31:37 2009 +0100
Update NEWS.
* NEWS: Update.
Signed-off-by: Ralf Wildenhues <address@hidden>
commit 4331fc7423036e68a9e480fb0ff56934b5d2be0e
Author: Jim Meyering <address@hidden>
Date: Tue Dec 1 22:07:45 2009 +0100
do not put world-writable directories in distribution tarballs
* lib/am/distdir.am (distdir): Do not make all directories
group- or world-writable. Instead, use 755.
* NEWS: Update.
Signed-off-by: Ralf Wildenhues <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 11 +++++++++++
Makefile.in | 3 ++-
NEWS | 10 +++++++++-
lib/am/distdir.am | 9 +++------
4 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 14f3bc0..c52b9e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2009-12-08 Ralf Wildenhues <address@hidden>
+
+ * NEWS: Update.
+
+2009-11-28 Jim Meyering <address@hidden>
+
+ do not put world-writable directories in distribution tarballs
+ * lib/am/distdir.am (distdir): Do not make all directories
+ group- or world-writable. Instead, use 755.
+ * NEWS: Update.
+
2004-05-23 Alexandre Duret-Lutz <address@hidden>
* tests/defs.in (PATH): Export it.
diff --git a/Makefile.in b/Makefile.in
index f6971b4..c753eaa 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -389,7 +389,8 @@ distdir: $(DISTFILES)
|| exit 1; \
fi; \
done
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find "$(distdir)" -type d ! -perm -755 \
+ -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {}
\; \
diff --git a/NEWS b/NEWS
index c463488..01c2388 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,12 @@
-Bugs fixed in 1.8.5:
+Bugs fixed in 1.8.6a:
+
+* Longstanding bugs:
+
+ - The distribution is tarred up with mode 755 now by the `dist*' targets.
+ This fixes a race condition where untrusted users could modify files
+ in the $(PACKAGE)-$(VERSION) distdir before packing if the toplevel
+ build directory was world-searchable. This is CVE-2009-4029.
+
�
Bugs fixed in 1.8.5:
diff --git a/lib/am/distdir.am b/lib/am/distdir.am
index 0ed0593..91dbe6b 100644
--- a/lib/am/distdir.am
+++ b/lib/am/distdir.am
@@ -190,11 +190,7 @@ if %?DIST-TARGETS%
endif %?DIST-TARGETS%
##
## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked. It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
##
## Ignore return result from chmod, because it might give an error
## if we chmod a symlink.
@@ -207,7 +203,8 @@ endif %?DIST-TARGETS%
## the file in place in the source tree.
##
if %?TOPDIR_P%
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find "$(distdir)" -type d ! -perm -755 \
+ -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {}
\; \
hooks/post-receive
--
GNU Automake
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Automake-commit] [SCM] GNU Automake branch, branch-1-8, updated. Release-1-8-5-7-gc17a55f,
Ralf Wildenhues <=