* Stefano Lattarini (stefano.lattar...@gmail.com) wrote: > On 07/13/2012 12:51 PM, Diego Elio Pettenò wrote: > > Il 13/07/2012 10:50, Stefano Lattarini ha scritto: > >> Well, I'm really disappointed that nobody reported this upstream to us; > >> our non-Debian users would have been saved from two and a half years of > >> potential vulnerability :-/ > > > > It's worth noting that I just checked and Gentoo also applies the same > > patch, for us started by > > > > https://bugs.gentoo.org/show_bug.cgi?id=295357 > > > > The report quoted there refers to Jim who, if I'm not mistaken, works > > for RedHat, so I guess RHEL/Fedora/Centos are covered as well. > > > Ah but *that* bug (CVE-2009-4029, which affected not only "make distcheck" > but also "make dist") was fixed in Automake proper as well. However, a > stray "chmod a+w $(distdir)" in the distcheck target was somehow missed > in the fix, and that caused CVE-2012-3386. So these are two different > issues, not to be confused. > > > So as much as I'd like to blame Debian, it's not really their fault :) > > > Looking more carefully, they fixed the (equivalent of CVE-2012-3386) for > Automake 1.4 (probably because they had to manually backport the patch > anyway, so looked for all the occurrences of "chmod 777"), but they did > *not* fix it for the more modern versions (e.g., Automake 1.11), probably > being convinced it had been solved as part of the fix for CVE-2009-4029; > so I spoke too fast and inconsiderately by accusing them so somehow > withold a security fix from upstream.
I didn't write the patch but I expect that's what happened. > So, Debian developers: sorry for the confusion, and please accept my > apologies. No worries. > Thanks, > Stefano > > > -- Eric Dorland <e...@kuroneko.ca> ICQ: #61138586, Jabber: ho...@jabber.com
signature.asc
Description: Digital signature