X.Org releases & automake security issue CVE-2009-4029
Matthieu Herrb
matthieu.herrb at laas.fr
Tue Dec 8 23:07:41 PST 2009
On Tue, Dec 08, 2009 at 03:48:03PM -0800, Alan Coopersmith wrote:
> The GNU automake maintainers today issued patches and a security advisory
> for a problem when running 'make dist*' on projects which had Makefile.in
> generated by versions of automake prior to the patch:
> http://lists.gnu.org/archive/html/autotools-announce/2009-12/msg00002.html
>
> This pretty much covers every X.Org modular release tarball ever made.
> Clearly X.Org will not be rebuilding all our past tarballs with new
> automake releases, as we simply don't have the people-power.
>
> It's unclear to me if we need to rebuild any releases at all, or just
> tell end users that if they're running 'make dist*' on a previously
> released tarball, on a system in which untrusted users could login or
> access the filesystem, they should run "autoreconf" first with a patched
> local automake install. Any opinions?
Telling users of released tarballs to be be careful is more than enough
in my opinion. In most cases someone using a downloaded tarball will
not use 'make dist' or distcheck.
> X.Org developers/maintainers should move to patched versions of automake
> when possible for generating release tarballs going forward.
Sure. but please don't enforce by requiring the latest automake verion
in xorg-macros. Many people are runnings distributions that will
ship patches to previous automake versions rathen than blindly updating
it.
--
Matthieu Herrb
More information about the xorg-devel
mailing list