GNU bug report logs -
#7379
On the fix for CVE-2009-4029 Automake security fix for 'make dist*'
Previous Next
Reported by: Behdad Esfahbod <behdad <at> behdad.org>
Date: Thu, 11 Nov 2010 21:14:03 UTC
Severity: normal
Tags: wontfix
Done: Stefano Lattarini <stefano.lattarini <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[ This was sent to "bugs-automake <at> gnu", apparently an alias for
"bug-automake". Because debbugs was unaware of this, it was assigned
to the default package, debbugs itself. I have reassigned it to
automake and am resending this so it goes to the right list.
The alias (along with "automake-bugs?" has been added to debbugs for
the future. ]
Original message:
From: Behdad Esfahbod <behdad <at> behdad.org>
To: bugs-automake <at> gnu.org
Subject: On the fix for CVE-2009-4029 Automake security fix for 'make dist*'
Date: Thu, 11 Nov 2010 16:17:22 -0500
Hi guys,
I recently read about the fix for the chmod 777 issue. Just wanted to note
that it may be preferred if you continue with chmod 777 and instead fix the
problem by moving the dist dir inside another direction that is 700.
The reason a 777 mod in the tarball may be preferred (or 775 for that matter,
but not 755) is for systems that users of a group are using sticky-bit on the
group to share writable files with eachother. By letting the umask decide
what bits should not be set you you enable such settings, whereas using 755,
the user expanding the tarball has to reset it to 775 or the rest of the group
cannot write to it.
Cheers,
behdad
This bug report was last modified 14 years and 163 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.