Jim Meyering wrote:
> FYI, I should be pushing these soon, and then making a snapshot
> within a couple hours:
> [PATCH 1/2] build: distcheck: do not leave a $TMPDIR/coreutils directory 
> behind

aka, http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=ae034822c535fa5

Now that there's a public BZ mentioning the security impact,
http://bugzilla.redhat.com/545439, I will note that the above
change also fixes a security-related flaw.  Any user running
"make distcheck" with TMPDIR unset or set to a world-writable
directory like /tmp, is vulnerable to arbitrary code execution.

So either don't run "make distcheck", with coreutils-8.1 or earlier,
or be sure that TMPDIR is not a world-writable directory.

I'll add something like the above to NEWS.

Reply via email to