1 --- automake-1.10/NEWS.orig	2012-07-10 06:06:11.262965208 -0700

     2 +++ automake-1.10/NEWS	2012-07-10 06:06:49.380882833 -0700

     3 @@ -128,6 +128,15 @@

     4      flavors, including optional formats such as dvi, ps, or info even

     5      when `no-installinfo' is used.)

     6  

     7 +* SECURITY VULNERABILITIES!

     8 +

     9 +  - The recipe of the 'distcheck' no longer grants anymore temporary

    10 +    world-wide write permissions on the extracted distdir.  Even if such

    11 +    rights were only granted for a vanishingly small time window, the

    12 +    implied race condition proved to be enough to allow a local attacker

    13 +    to run arbitrary code with the privileges of the user running "make

    14 +    distcheck".  This is CVE-2012-3386.

    15 +

    16  * Miscellaneous changes:

    17  

    18    - Automake no longer complains if input files for AC_CONFIG_FILES

    19 --- automake-1.10/lib/am/distdir.am.orig	2012-07-10 06:08:03.395311756 -0700

    20 +++ automake-1.10/lib/am/distdir.am	2012-07-10 06:08:34.847417147 -0700

    21 @@ -327,7 +327,7 @@

    22  ## Make the new source tree read-only.  Distributions ought to work in

    23  ## this case.  However, make the top-level directory writable so we

    24  ## can make our new subdirs.

    25 -	chmod -R a-w $(distdir); chmod a+w $(distdir)

    26 +	chmod -R a-w $(distdir); chmod u+w $(distdir)

    27  	mkdir $(distdir)/_build

    28  	mkdir $(distdir)/_inst

    29  ## Undo the write access.