1 --- automake-1.11.2/NEWS.orig	2012-07-10 05:55:08.774803866 -0700

     2 +++ automake-1.11.2/NEWS	2012-07-10 05:55:40.618794747 -0700

     3 @@ -90,6 +90,15 @@

     4    - The AM_COND_IF macro also works if the shell expression for the

     5      conditional is no longer valid for the condition.

     6  

     7 +* SECURITY VULNERABILITIES!

     8 +

     9 +  - The recipe of the 'distcheck' no longer grants anymore temporary

    10 +    world-wide write permissions on the extracted distdir.  Even if such

    11 +    rights were only granted for a vanishingly small time window, the

    12 +    implied race condition proved to be enough to allow a local attacker

    13 +    to run arbitrary code with the privileges of the user running "make

    14 +    distcheck".  This is CVE-2012-3386.

    15 +

    16  * Long-standing bugs:

    17  

    18    - The order of Yacc and Lex flags is fixed to be consistent with other

    19 --- automake-1.11.2/lib/am/distdir.am.orig	2012-07-10 05:57:02.481964158 -0700

    20 +++ automake-1.11.2/lib/am/distdir.am	2012-07-10 05:57:54.509361759 -0700

    21 @@ -441,7 +441,7 @@

    22  ## Make the new source tree read-only.  Distributions ought to work in

    23  ## this case.  However, make the top-level directory writable so we

    24  ## can make our new subdirs.

    25 -	chmod -R a-w $(distdir); chmod a+w $(distdir)

    26 +	chmod -R a-w $(distdir); chmod u+w $(distdir)

    27  	mkdir $(distdir)/_build

    28  	mkdir $(distdir)/_inst

    29  ## Undo the write access.