On 07/13/2012 12:51 PM, Diego Elio Pettenò wrote: > Il 13/07/2012 10:50, Stefano Lattarini ha scritto: >> Well, I'm really disappointed that nobody reported this upstream to us; >> our non-Debian users would have been saved from two and a half years of >> potential vulnerability :-/ > > It's worth noting that I just checked and Gentoo also applies the same > patch, for us started by > > https://bugs.gentoo.org/show_bug.cgi?id=295357 > > The report quoted there refers to Jim who, if I'm not mistaken, works > for RedHat, so I guess RHEL/Fedora/Centos are covered as well. > Ah but *that* bug (CVE-2009-4029, which affected not only "make distcheck" but also "make dist") was fixed in Automake proper as well. However, a stray "chmod a+w $(distdir)" in the distcheck target was somehow missed in the fix, and that caused CVE-2012-3386. So these are two different issues, not to be confused.
> So as much as I'd like to blame Debian, it's not really their fault :) > Looking more carefully, they fixed the (equivalent of CVE-2012-3386) for Automake 1.4 (probably because they had to manually backport the patch anyway, so looked for all the occurrences of "chmod 777"), but they did *not* fix it for the more modern versions (e.g., Automake 1.11), probably being convinced it had been solved as part of the fix for CVE-2009-4029; so I spoke too fast and inconsiderately by accusing them so somehow withold a security fix from upstream. So, Debian developers: sorry for the confusion, and please accept my apologies. Thanks, Stefano
