This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU M4 source repository".
http://git.sv.gnu.org/gitweb/?p=m4.git;a=commitdiff;h=031a71a80442ed2ad3c2ee14d5811c786a12c51b The branch, branch-1_4 has been updated via 031a71a80442ed2ad3c2ee14d5811c786a12c51b (commit) from ed2e087c61541a94a3af378fe963cd1ae271d935 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 031a71a80442ed2ad3c2ee14d5811c786a12c51b Author: Eric Blake <[EMAIL PROTECTED]> Date: Thu Nov 22 07:34:32 2007 -0700 Security fix: avoid arbitrary code execution with 'm4 -F'. * src/freeze.c (produce_frozen_state): Never pass raw file name as printf format. * NEWS: Document this fix. Signed-off-by: Eric Blake <[EMAIL PROTECTED]> ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 5 +++-- src/freeze.c | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4179e81..4d8ec23 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2007-11-22 Eric Blake <[EMAIL PROTECTED]> + + Security fix: avoid arbitrary code execution with 'm4 -F'. + * src/freeze.c (produce_frozen_state): Never pass raw file name as + printf format. + * NEWS: Document this fix. + 2007-11-21 Eric Blake <[EMAIL PROTECTED]> Consistently report macro name first in messages. diff --git a/NEWS b/NEWS index d988adf..1762571 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,9 @@ Foundation, Inc. Version 1.4.11 - ?? ??? 2007, by ???? (git version 1.4.10a-*) -* Fix core dump in 'm4 -F file -t undefined', present since -F was - introduced in 1.3. +* Security fixes for the -F option, for bugs present since -F was + introduced in 1.3: Avoid core dump with 'm4 -F file -t undefined', and + avoid arbitrary code execution with certain file names. * Fix regression introduced in 1.4.9b in the `divert' builtin when more than 512 kibibytes are saved in diversions on platforms like NetBSD where fopen(name,"a+") seeks to the end of the file. diff --git a/src/freeze.c b/src/freeze.c index 2858e64..df68f3a 100644 --- a/src/freeze.c +++ b/src/freeze.c @@ -58,7 +58,7 @@ produce_frozen_state (const char *name) if (file = fopen (name, O_BINARY ? "wb" : "w"), !file) { - M4ERROR ((warning_status, errno, name)); + M4ERROR ((warning_status, errno, "%s", name)); return; } hooks/post-receive -- GNU M4 source repository
