From unknown Tue Jun 24 05:07:56 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#7379 <7379@debbugs.gnu.org> To: bug#7379 <7379@debbugs.gnu.org> Subject: Status: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' Reply-To: bug#7379 <7379@debbugs.gnu.org> Date: Tue, 24 Jun 2025 12:07:56 +0000 retitle 7379 On the fix for CVE-2009-4029 Automake security fix for 'make d= ist*' reassign 7379 automake submitter 7379 Behdad Esfahbod severity 7379 normal tag 7379 wontfix thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 11 16:13:13 2010 Received: (at submit) by debbugs.gnu.org; 11 Nov 2010 21:13:14 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PGeSH-00061y-KS for submit@debbugs.gnu.org; Thu, 11 Nov 2010 16:13:13 -0500 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PGeRn-00061G-QZ for submit@debbugs.gnu.org; Thu, 11 Nov 2010 16:12:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PGeWQ-0007TS-85 for submit@debbugs.gnu.org; Thu, 11 Nov 2010 16:17:31 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID,T_TO_NO_BRKTS_FREEMAIL autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:41312) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PGeWQ-0007TO-63 for submit@debbugs.gnu.org; Thu, 11 Nov 2010 16:17:30 -0500 Received: from [140.186.70.92] (port=37832 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PGeWP-0008Da-A5 for bug-automake@gnu.org; Thu, 11 Nov 2010 16:17:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PGeWO-0007T6-77 for bug-automake@gnu.org; Thu, 11 Nov 2010 16:17:29 -0500 Received: from fencepost.gnu.org ([140.186.70.10]:42763) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PGeWO-0007T2-5b for bug-automake@gnu.org; Thu, 11 Nov 2010 16:17:28 -0500 Received: from eggs.gnu.org ([140.186.70.92]:39976) by fencepost.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1PGeWM-0002QT-QG for bugs-automake@gnu.org; Thu, 11 Nov 2010 16:17:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PGeWN-0007Sn-2b for bugs-automake@gnu.org; Thu, 11 Nov 2010 16:17:27 -0500 Received: from mail-qy0-f169.google.com ([209.85.216.169]:37249) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PGeWN-0007Se-0N for bugs-automake@gnu.org; Thu, 11 Nov 2010 16:17:27 -0500 Received: by qyk1 with SMTP id 1so276348qyk.0 for ; Thu, 11 Nov 2010 13:17:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:content-type :content-transfer-encoding; bh=A69Xd8MNlcOrpc1tIfT36UJlyKx1S2rq7syDjFG35dM=; b=DL9jo29YXLciaFKEe9GspXFl6N40Pg8XYfsntT+cmpLljs5dBX0YstN7o/L/zpOjSe N3I3w1HkqzRjz+4NQ7YA9lWU3it7Fl78X1ocRf6I02RvO0ggfl2nK26pmmyFydUB26Xc PL+qN4maqCB0Vl1HDBFyEPPnvfOlq8aTMdHCs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=CHRPgO8Z1W71YstY35ivvaznFJtTrtIknRn/if8dL4K4/8Itzmw1lpB/cqkZ90EeAd jwEBHDjh8hKdcZooGhVNZLUY/IAhersESE+G3q4JmUWPzlaqKklteSkdh+33Hptd7JhK kbSyneQJNu4MeN5uFltyyU2PotO6Y1OrjIkS0= Received: by 10.224.80.203 with SMTP id u11mr1153281qak.206.1289510245839; Thu, 11 Nov 2010 13:17:25 -0800 (PST) Received: from [172.26.56.146] ([72.14.228.1]) by mx.google.com with ESMTPS id s34sm2290218qcp.44.2010.11.11.13.17.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 11 Nov 2010 13:17:24 -0800 (PST) Message-ID: <4CDC5D62.8090204@behdad.org> Date: Thu, 11 Nov 2010 16:17:22 -0500 From: Behdad Esfahbod User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10 MIME-Version: 1.0 To: bugs-automake@gnu.org Subject: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' X-Enigmail-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Spam-Score: -5.9 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Thu, 11 Nov 2010 16:13:11 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.9 (-----) Hi guys, I recently read about the fix for the chmod 777 issue. Just wanted to note that it may be preferred if you continue with chmod 777 and instead fix the problem by moving the dist dir inside another direction that is 700. The reason a 777 mod in the tarball may be preferred (or 775 for that matter, but not 755) is for systems that users of a group are using sticky-bit on the group to share writable files with eachother. By letting the umask decide what bits should not be set you you enable such settings, whereas using 755, the user expanding the tarball has to reset it to 775 or the rest of the group cannot write to it. Cheers, behdad From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 11 16:24:06 2010 Received: (at 7379) by debbugs.gnu.org; 11 Nov 2010 21:24:06 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PGecn-00067d-UU for submit@debbugs.gnu.org; Thu, 11 Nov 2010 16:24:06 -0500 Received: from fencepost.gnu.org ([140.186.70.10]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PGecl-00067H-Kn for 7379@debbugs.gnu.org; Thu, 11 Nov 2010 16:24:04 -0500 Received: from localhost ([127.0.0.1]:43305) by fencepost.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PGehN-00039y-DV; Thu, 11 Nov 2010 16:28:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19676.24593.54313.936261@fencepost.gnu.org> Date: Thu, 11 Nov 2010 16:28:49 -0500 From: Glenn Morris To: 7379@debbugs.gnu.org Subject: Re: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' In-Reply-To: <4CDC5D62.8090204@behdad.org> References: <4CDC5D62.8090204@behdad.org> X-Debbugs-No-Ack: yes X-Attribution: GM X-Mailer: VM (www.wonderworks.com/vm), GNU Emacs (www.gnu.org/software/emacs) X-Hue: red X-Ran: JKV;D=]7NX~}i$8RJ[tIokPK5S?!0J9*zc\*szwDKBIqF":Cp&4z&L=,hRok`ux/@9C[,G X-Spam-Score: -6.2 (------) X-Debbugs-Envelope-To: 7379 Cc: behdad@behdad.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) [ This was sent to "bugs-automake@gnu", apparently an alias for "bug-automake". Because debbugs was unaware of this, it was assigned to the default package, debbugs itself. I have reassigned it to automake and am resending this so it goes to the right list. The alias (along with "automake-bugs?" has been added to debbugs for the future. ] Original message: From: Behdad Esfahbod To: bugs-automake@gnu.org Subject: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' Date: Thu, 11 Nov 2010 16:17:22 -0500 Hi guys, I recently read about the fix for the chmod 777 issue. Just wanted to note that it may be preferred if you continue with chmod 777 and instead fix the problem by moving the dist dir inside another direction that is 700. The reason a 777 mod in the tarball may be preferred (or 775 for that matter, but not 755) is for systems that users of a group are using sticky-bit on the group to share writable files with eachother. By letting the umask decide what bits should not be set you you enable such settings, whereas using 755, the user expanding the tarball has to reset it to 775 or the rest of the group cannot write to it. Cheers, behdad From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 13 02:55:51 2010 Received: (at 7379) by debbugs.gnu.org; 13 Nov 2010 07:55:52 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PHAxj-00069N-G9 for submit@debbugs.gnu.org; Sat, 13 Nov 2010 02:55:51 -0500 Received: from mailout-de.gmx.net ([213.165.64.23] helo=mail.gmx.net) by debbugs.gnu.org with smtp (Exim 4.69) (envelope-from ) id 1PHAxh-00069I-55 for 7379@debbugs.gnu.org; Sat, 13 Nov 2010 02:55:50 -0500 Received: (qmail invoked by alias); 13 Nov 2010 08:00:38 -0000 Received: from xdsl-89-0-163-130.netcologne.de (EHLO localhost.localdomain) [89.0.163.130] by mail.gmx.net (mp023) with SMTP; 13 Nov 2010 09:00:38 +0100 X-Authenticated: #13673931 X-Provags-ID: V01U2FsdGVkX19f4Q8EPU5fPV3RRg8sVhrOamH+GcXRJd7xTALQ4o 92qxjCA/1YaYJa Received: from ralf by localhost.localdomain with local (Exim 4.69) (envelope-from ) id 1PHB2L-00067Z-QZ; Sat, 13 Nov 2010 09:00:37 +0100 Date: Sat, 13 Nov 2010 09:00:37 +0100 From: Ralf Wildenhues To: Behdad Esfahbod Subject: Re: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' Message-ID: <20101113080037.GJ22036@gmx.de> References: <4CDC5D62.8090204@behdad.org> <19676.24593.54313.936261@fencepost.gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19676.24593.54313.936261@fencepost.gnu.org> Organization: Institute for Numerical Simulation, University of Bonn User-Agent: Mutt/1.5.20 (2010-08-04) X-Y-GMX-Trusted: 0 X-Spam-Score: -2.7 (--) X-Debbugs-Envelope-To: 7379 Cc: 7379@debbugs.gnu.org, Glenn Morris , Jim Meyering X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.7 (--) [ Thanks Glenn for rerouting the bug report! ] Hi Behdad, > From: Behdad Esfahbod > Subject: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' > Date: Thu, 11 Nov 2010 16:17:22 -0500 > I recently read about the fix for the chmod 777 issue. Just wanted to note > that it may be preferred if you continue with chmod 777 and instead fix the > problem by moving the dist dir inside another direction that is 700. > > The reason a 777 mod in the tarball may be preferred (or 775 for that matter, > but not 755) is for systems that users of a group are using sticky-bit on the > group to share writable files with eachother. By letting the umask decide > what bits should not be set you you enable such settings, whereas using 755, > the user expanding the tarball has to reset it to 775 or the rest of the group > cannot write to it. Thanks for the bug report. At the time we fixed this, we considered going this other option. It was a fairly close call. The downside of the solution you suggest was that it would complicate 'make dist' a little, and maybe break a few packages that rely on the exact subdir structure of $(distdir) being one directory below the toplevel build directory. Such reliance is probably bad style anyway, but we didn't know of many uses that would benefit from more relaxed permission inside the tarball. How useful is that for you, how come you don't use a version control repository rather than an extracted tarball for collaborative work (honest question)? You are the first person to report this in the 12 months since we released fixed versions of Automake. I don't have other data to go on but it thus doesn't seem to be a very wide spread issue to me, and there's the obvious workaround of a chmod -R after extraction, no? I'm open to arguments here, but so far I'm slightly leaning toward keeping the current behavior. Thanks, Ralf From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 17 11:40:02 2010 Received: (at 7379) by debbugs.gnu.org; 17 Nov 2010 16:40:03 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PIl3C-0001iX-3a for submit@debbugs.gnu.org; Wed, 17 Nov 2010 11:40:02 -0500 Received: from mail-gw0-f44.google.com ([74.125.83.44]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PIkle-0001b6-L8 for 7379@debbugs.gnu.org; Wed, 17 Nov 2010 11:21:55 -0500 Received: by gwb10 with SMTP id 10so1293456gwb.3 for <7379@debbugs.gnu.org>; Wed, 17 Nov 2010 08:26:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=3u7/5f6WFiECEhONCP4M5bJJkUc8EmclrC5hHekBxCc=; b=u/RuH8LhnY031BwtDM5VBixyWybGtgvutItWeR4F2v0riLJukXhCBQ4LbVqF+yZE0Q W1OGbEdGKUPIKARI37Bd9o+acfoW4cU/rr/aGY1ChJdx6XAKmWKn5xxrWCVVIxNjdzzv JK/XxXy53tr+9k4mmJo/qbzd89OYtN/Frdn1k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=tv6p/qt+3oNtQBJPohuU1AIrtxgZ2q9BUJCoDWBQCTC9ta8H75X3alT9F8vQW5vJa/ cTGeC/I7A+4hlelumHyDA5fLsxQfMhv7KgqKFvjsPiQ6p/4oFDmxwEdGxfS98PDA+5RT XNytB5fSqAaCrenw/EQJDbJ2J4TJjv3eA18mY= Received: by 10.150.181.5 with SMTP id d5mr8996635ybf.300.1290011216010; Wed, 17 Nov 2010 08:26:56 -0800 (PST) Received: from [172.31.54.164] (dhcp-172-31-54-164.wat.corp.google.com [172.31.54.164]) by mx.google.com with ESMTPS id q41sm4766700ybk.1.2010.11.17.08.26.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 17 Nov 2010 08:26:52 -0800 (PST) Message-ID: <4CE4024A.6000803@behdad.org> Date: Wed, 17 Nov 2010 11:26:50 -0500 From: Behdad Esfahbod User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10 MIME-Version: 1.0 To: Ralf Wildenhues Subject: Re: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' References: <4CDC5D62.8090204@behdad.org> <19676.24593.54313.936261@fencepost.gnu.org> <20101113080037.GJ22036@gmx.de> In-Reply-To: <20101113080037.GJ22036@gmx.de> X-Enigmail-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -2.6 (--) X-Debbugs-Envelope-To: 7379 X-Mailman-Approved-At: Wed, 17 Nov 2010 11:40:01 -0500 Cc: 7379@debbugs.gnu.org, Glenn Morris , Jim Meyering X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -2.6 (--) Hi Ralf, Scroll down for my comments. On 11/13/10 03:00, Ralf Wildenhues wrote: > [ Thanks Glenn for rerouting the bug report! ] > > Hi Behdad, > >> From: Behdad Esfahbod >> Subject: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' >> Date: Thu, 11 Nov 2010 16:17:22 -0500 > >> I recently read about the fix for the chmod 777 issue. Just wanted to note >> that it may be preferred if you continue with chmod 777 and instead fix the >> problem by moving the dist dir inside another direction that is 700. >> >> The reason a 777 mod in the tarball may be preferred (or 775 for that matter, >> but not 755) is for systems that users of a group are using sticky-bit on the >> group to share writable files with eachother. By letting the umask decide >> what bits should not be set you you enable such settings, whereas using 755, >> the user expanding the tarball has to reset it to 775 or the rest of the group >> cannot write to it. > > Thanks for the bug report. At the time we fixed this, we considered > going this other option. It was a fairly close call. The downside of > the solution you suggest was that it would complicate 'make dist' a > little, and maybe break a few packages that rely on the exact subdir > structure of $(distdir) being one directory below the toplevel build > directory. Such reliance is probably bad style anyway, but we didn't > know of many uses that would benefit from more relaxed permission inside > the tarball. How useful is that for you, how come you don't use a > version control repository rather than an extracted tarball for > collaborative work (honest question)? > > You are the first person to report this in the 12 months since we > released fixed versions of Automake. I don't have other data to go on > but it thus doesn't seem to be a very wide spread issue to me, and > there's the obvious workaround of a chmod -R after extraction, no? When I read about the fix, this was the first thing that popped into my mind. I didn't actually hit this issue. But I agree: most probably no one actually relies on the permissions being correct right off the tarball anyway. Cheers, behdad > I'm open to arguments here, but so far I'm slightly leaning toward > keeping the current behavior. > > Thanks, > Ralf > From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 16 18:13:37 2010 Received: (at submit) by debbugs.gnu.org; 16 Dec 2010 23:13:38 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PTN0z-0006sr-IP for submit@debbugs.gnu.org; Thu, 16 Dec 2010 18:13:37 -0500 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PTN0x-0006sW-4v for submit@debbugs.gnu.org; Thu, 16 Dec 2010 18:13:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PTN73-0007GT-P4 for submit@debbugs.gnu.org; Thu, 16 Dec 2010 18:19:55 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, T_DKIM_INVALID, T_TO_NO_BRKTS_FREEMAIL autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:38462) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PTN73-0007GP-N4 for submit@debbugs.gnu.org; Thu, 16 Dec 2010 18:19:53 -0500 Received: from [140.186.70.92] (port=41746 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PTN71-0001vm-Mr for bug-automake@gnu.org; Thu, 16 Dec 2010 18:19:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PTN70-0007FE-HM for bug-automake@gnu.org; Thu, 16 Dec 2010 18:19:51 -0500 Received: from mail-wy0-f169.google.com ([74.125.82.169]:44736) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PTN70-0007F9-9q for bug-automake@gnu.org; Thu, 16 Dec 2010 18:19:50 -0500 Received: by wyj26 with SMTP id 26so107350wyj.0 for ; Thu, 16 Dec 2010 15:19:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:cc:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=G5Sw92RL06JXd/HeNNytaz9ptJCgjnPLDtVa8Svc0uM=; b=ZgNfJdtHTaeusvI7oKQdB0sBMNeFc0snHZkgxaCQZKk94dZSjLt8JdNJ6YEXg1C1lk cGt8Dt0F8Xt4NawpdsXR/9SnF3ecvwlW+B+IOLr8IYZEYwrVJcuEHytRWcE+g6LQ3yav 5gdlzdkXag3QCyF4LhV8hbPc0rvNv2uBvXgCY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=pHjjsudR+WC4R/KH29LaCyDC7SQZL+9AoFkEph8EwGLEWU/AxlMsyMC90o5fM/V/tv m8nBxZsauk9c76wYIAoqVKTvIvf1RibUirSCINgmggMkQqaq8UgN1LrOvacDvDuhpOfZ GkmavLQft2XJaGCy7rbRXCBIAriM1S4vnAiGc= Received: by 10.227.141.129 with SMTP id m1mr83416wbu.68.1292541589409; Thu, 16 Dec 2010 15:19:49 -0800 (PST) Received: from bigio.localnet (host209-92-dynamic.248-95-r.retail.telecomitalia.it [95.248.92.209]) by mx.google.com with ESMTPS id f35sm463780wbf.20.2010.12.16.15.19.47 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 16 Dec 2010 15:19:48 -0800 (PST) From: Stefano Lattarini To: bug-automake@gnu.org Subject: Re: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' Date: Fri, 17 Dec 2010 00:19:06 +0100 User-Agent: KMail/1.13.3 (Linux/2.6.30-2-686; KDE/4.4.4; i686; ; ) References: <4CDC5D62.8090204@behdad.org> <20101113080037.GJ22036@gmx.de> <4CE4024A.6000803@behdad.org> In-Reply-To: <4CE4024A.6000803@behdad.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201012170019.07641.stefano.lattarini@gmail.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Spam-Score: -5.5 (-----) X-Debbugs-Envelope-To: submit Cc: 7379@debbugs.gnu.org, Behdad Esfahbod , Ralf Wildenhues X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.5 (-----) Hello Ralf and Behdad. On Wednesday 17 November 2010, Behdad Esfahbod wrote: > > On 11/13/10 03:00, Ralf Wildenhues wrote: >> >> You are the first person to report this in the 12 months since we >> released fixed versions of Automake. I don't have other data to go on >> but it thus doesn't seem to be a very wide spread issue to me, and >> there's the obvious workaround of a chmod -R after extraction, no? >> > When I read about the fix, this was the first thing that popped into my mind. > I didn't actually hit this issue. > > But I agree: most probably no one actually relies on the permissions being > correct right off the tarball anyway. > > Cheers, > behdad > Given this rationale, would it be ok to close this bug now? Regards, Stefano From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 16 23:54:01 2010 Received: (at 7379) by debbugs.gnu.org; 17 Dec 2010 04:54:01 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PTSKP-0005vh-2w for submit@debbugs.gnu.org; Thu, 16 Dec 2010 23:54:01 -0500 Received: from mail-iw0-f172.google.com ([209.85.214.172]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PTSKI-0005vL-Ay for 7379@debbugs.gnu.org; Thu, 16 Dec 2010 23:53:59 -0500 Received: by iwn40 with SMTP id 40so338753iwn.3 for <7379@debbugs.gnu.org>; Thu, 16 Dec 2010 21:00:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=1H1Ney1K7UqZ+lKtOHv4fH6JfUE+IAYbymMjm6ibhpk=; b=rNMn9q63Z54nNnKfQjlMP+AZNg1wINVip8LeGJFVFNXzBFKToAacCVJ+3uWYLuWvJw 52JbiZOJZ+BZ1k6zVpMYGWZpH6gTpG8OdoDBCbLC5X7Hn/PQCpVGaf9yJDaTKNIvMcZ6 Jxq/UmT9aMA9jNqSAgwrtb6C9lIOt+7zWv2/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=HyV26tiipcmCEnnKBJEAccHLjqpxjLqO8apM7d8TlbeB/31wuuItu112ESbhiSb9oy Sj0fWshxi7I4pXknC3ZQgaYxmjfuC/SIzjsppag041PlnV0OdjFeX+6eiFsyYnN4wSoY 0Svwu9FFk7NGstOg+ZthQdILYOpW4MxPapkPE= Received: by 10.231.32.10 with SMTP id a10mr338345ibd.113.1292562014418; Thu, 16 Dec 2010 21:00:14 -0800 (PST) Received: from [192.168.190.115] (69-165-131-36.dsl.teksavvy.com [69.165.131.36]) by mx.google.com with ESMTPS id z4sm662350ibg.19.2010.12.16.21.00.11 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 16 Dec 2010 21:00:12 -0800 (PST) Message-ID: <4D0AEE5B.5030006@behdad.org> Date: Fri, 17 Dec 2010 00:00:11 -0500 From: Behdad Esfahbod User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Stefano Lattarini Subject: Re: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' References: <4CDC5D62.8090204@behdad.org> <20101113080037.GJ22036@gmx.de> <4CE4024A.6000803@behdad.org> <201012170019.07641.stefano.lattarini@gmail.com> In-Reply-To: <201012170019.07641.stefano.lattarini@gmail.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.6 (---) X-Debbugs-Envelope-To: 7379 Cc: 7379@debbugs.gnu.org, Ralf Wildenhues , bug-automake@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.2 (----) On 12/16/10 18:19, Stefano Lattarini wrote: > Hello Ralf and Behdad. > > On Wednesday 17 November 2010, Behdad Esfahbod wrote: >> >> On 11/13/10 03:00, Ralf Wildenhues wrote: >>> >>> You are the first person to report this in the 12 months since we >>> released fixed versions of Automake. I don't have other data to go on >>> but it thus doesn't seem to be a very wide spread issue to me, and >>> there's the obvious workaround of a chmod -R after extraction, no? >>> >> When I read about the fix, this was the first thing that popped into my mind. >> I didn't actually hit this issue. >> >> But I agree: most probably no one actually relies on the permissions being >> correct right off the tarball anyway. >> >> Cheers, >> behdad >> > Given this rationale, would it be ok to close this bug now? Yes, as far as I'm concerned. behdad > Regards, > Stefano > From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 17 09:12:25 2010 Received: (at 7379) by debbugs.gnu.org; 17 Dec 2010 14:12:25 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PTb2l-0005Ad-2Z for submit@debbugs.gnu.org; Fri, 17 Dec 2010 09:12:23 -0500 Received: from mail-ww0-f46.google.com ([74.125.82.46]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PTb2j-0005AO-6Q; Fri, 17 Dec 2010 09:12:21 -0500 Received: by wwj40 with SMTP id 40so757602wwj.15 for ; Fri, 17 Dec 2010 06:18:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:cc:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=v0scJHvFh3ZHo+kh9YEWmL2gFesSY1o7mw9gAQwcjgM=; b=czFdKgdrT6ct64eC/znzeFmAmm4fRieDAhrmWvd7Q5bJSSH5rKXvldPVYi8R7Wv4WX NdWLdxKHX4fQfXF0ZHYiqFeZbLo9sQRtwOd50jn89xwTXJLed1K6Wo0wch3InF+ERzKP AEriOBfXzRhe22aH5B92oAWRMMXzqukvE/teU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=BAZqc+Tx2CFQ3eaXU3fAcNAbzPj0Y+zqyVovr4TIYJkF/yvNqGsRBrm9Wz7nlRE/Xy hkLY2e9+X0JDFjG0lS0OxW3wOMC1M//lTmXSCh5ctppzE11M94vb95KH720uTGcM507l dA0ovVatGeL0j3EpbhqUPMjl+Smbr9WAo8nb0= Received: by 10.216.163.11 with SMTP id z11mr1173420wek.36.1292595522136; Fri, 17 Dec 2010 06:18:42 -0800 (PST) Received: from bigio.localnet (host11-8-dynamic.13-87-r.retail.telecomitalia.it [87.13.8.11]) by mx.google.com with ESMTPS id a2sm220000wer.17.2010.12.17.06.18.39 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 17 Dec 2010 06:18:40 -0800 (PST) From: Stefano Lattarini To: Behdad Esfahbod Subject: Re: bug#7379: On the fix for CVE-2009-4029 Automake security fix for 'make dist*' Date: Fri, 17 Dec 2010 15:17:34 +0100 User-Agent: KMail/1.13.3 (Linux/2.6.30-2-686; KDE/4.4.4; i686; ; ) References: <4CDC5D62.8090204@behdad.org> <201012170019.07641.stefano.lattarini@gmail.com> <4D0AEE5B.5030006@behdad.org> In-Reply-To: <4D0AEE5B.5030006@behdad.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201012171517.35725.stefano.lattarini@gmail.com> X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: 7379 Cc: 7379@debbugs.gnu.org, Ralf Wildenhues X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.8 (---) tags 7379 wontfix close 7379 thanks On Friday 17 December 2010, Behdad Esfahbod wrote: > On 12/16/10 18:19, Stefano Lattarini wrote: > > Given this rationale, would it be ok to close this bug now? > > Yes, as far as I'm concerned. > > behdad > I'm closing the bug then. I'm also tagging it as "wontfix", since it referred to a real (albeit minor) limitation which we agreed it's better not to lift. Thanks, Stefano From unknown Tue Jun 24 05:07:56 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 15 Jan 2011 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator