Your message dated Sun, 27 May 2012 00:55:38 -0400
with message-id <20120527045538.GA21853@gambit>
and subject line Re: Bug#570850: Fix CVE-2009-4029 in Lenny/stable
has caused the Debian Bug report #570850,
regarding automake: Fix CVE-2009-4029 in Lenny/stable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
570850: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570850
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: automake
Version: 1:1.10.1-3
Severity: grave
Tags: security patch
Justification: user security hole
Hi,
Please fix CVE-2009-4029 in automake 1.10.
I create my upstream releases from a Debian stable box, and I was
surprised to see that the generated Makefile.in's still have
instructions for 777 directories.
Attached is a patch :)
Cheers!
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages automake depends on:
ii autoconf 2.61-8 automatic configure script builder
ii autotools-dev 20080123.1 Update infrastructure for config.{
automake recommends no packages.
automake suggests no packages.
-- no debconf information
--- automake1.10-1.10.1/debian/changelog
+++ automake1.10-1.10.1/debian/changelog
@@ -1,3 +1,11 @@
+automake1.10 (1:1.10.1-4) stable-security; urgency=high
+
+ [ Sylvain Beucler ]
+ * Fix CVE-2009-4029, which created world-writable directories in
+ distribution tarballs.
+
+ -- Eric Dorland <e...@debian.org> Sun, 21 Feb 2010 21:45:48 +0100
+
automake1.10 (1:1.10.1-3) unstable; urgency=low
* debian/automake.postinst: Bump up the priority to 28 so that it wins
--- automake1.10-1.10.1.orig/lib/am/distdir.am
+++ automake1.10-1.10.1/lib/am/distdir.am
@@ -196,11 +196,7 @@
endif %?DIST-TARGETS%
##
## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked. It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
##
## Ignore return result from chmod, because it might give an error
## if we chmod a symlink.
@@ -213,7 +209,8 @@
## the file in place in the source tree.
##
if %?TOPDIR_P%
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find $(distdir) -type d ! -perm -755 \
+ -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
--- End Message ---
--- Begin Message ---
* Sylvain Beucler (b...@beuc.net) wrote:
> Note: the patch comes from:
> http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html
>
Since lenny is now out of security support, closing.
--
Eric Dorland <e...@kuroneko.ca>
ICQ: #61138586, Jabber: ho...@jabber.com
signature.asc
Description: Digital signature
--- End Message ---
