X.Org releases & automake security issue CVE-2009-4029

Jeremy Huddleston jeremyhu at freedesktop.org
Tue Dec 8 16:33:13 PST 2009 

First of all, can we come up with a hook in util-macros which will  
verify that the version of automake is correct and bail during  
configure if it's not?  This would prevent future problems (assuming  
the packager has the latest util-macros... which they should).

As far as what to do about released packages:

1) Re-releasing *every* tarball is certainly out of the question.

2) Re-releasing with the same version number is out of the question as  
that is one of the big packager nightmares (don't change checksums on  
us).

3) Bumping (maybe as a sub-tiny version bump... eg: 1.0 -> 1.0.0.1)  
the latest version is an option I'd consider, but I personally believe  
we have too many repos and too few people to do this effectively.   
Unless Alan came up with some friendly script for mass releases during  
the last katamari, I'd vote for skipping this option.

4) Making an announcement seems to be the best bet.  Packagers can  
autoreconf, and the quantity of users building from sources and not  
using something like pkgsrc, portage, etc is probably limited in scope  
and not worth the effort of a mass re-release.

On Dec 8, 2009, at 15:48, Alan Coopersmith wrote:

> The GNU automake maintainers today issued patches and a security  
> advisory
> for a problem when running 'make dist*' on projects which had  
> Makefile.in
> generated by versions of automake prior to the patch:
>  http://lists.gnu.org/archive/html/autotools-announce/2009-12/msg00002.html
>
> This pretty much covers every X.Org modular release tarball ever made.
> Clearly X.Org will not be rebuilding all our past tarballs with new
> automake releases, as we simply don't have the people-power.
>
> It's unclear to me if we need to rebuild any releases at all, or just
> tell end users that if they're running 'make dist*' on a previously
> released tarball, on a system in which untrusted users could login or
> access the filesystem, they should run "autoreconf" first with a  
> patched
> local automake install.   Any opinions?
>
> X.Org developers/maintainers should move to patched versions of  
> automake
> when possible for generating release tarballs going forward.
>
> -- 
> 	-Alan Coopersmith-           alan.coopersmith at sun.com
> 	 Sun Microsystems, Inc. - X Window System Engineering
>
> _______________________________________________
> xorg-devel mailing list
> xorg-devel at lists.x.org
> http://lists.x.org/mailman/listinfo/xorg-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5820 bytes
Desc: not available
Url : http://lists.x.org/archives/xorg-devel/attachments/20091208/db67530c/attachment-0001.bin

More information about the xorg-devel mailing list