X.Org releases & automake security issue CVE-2009-4029
Alan Coopersmith
Alan.Coopersmith at Sun.COM
Tue Dec 8 15:48:03 PST 2009
The GNU automake maintainers today issued patches and a security advisory
for a problem when running 'make dist*' on projects which had Makefile.in
generated by versions of automake prior to the patch:
http://lists.gnu.org/archive/html/autotools-announce/2009-12/msg00002.html
This pretty much covers every X.Org modular release tarball ever made.
Clearly X.Org will not be rebuilding all our past tarballs with new
automake releases, as we simply don't have the people-power.
It's unclear to me if we need to rebuild any releases at all, or just
tell end users that if they're running 'make dist*' on a previously
released tarball, on a system in which untrusted users could login or
access the filesystem, they should run "autoreconf" first with a patched
local automake install. Any opinions?
X.Org developers/maintainers should move to patched versions of automake
when possible for generating release tarballs going forward.
--
-Alan Coopersmith- alan.coopersmith at sun.com
Sun Microsystems, Inc. - X Window System Engineering
More information about the xorg-devel
mailing list