doc: NEWS: mention the "make distcheck" vulnerability

* NEWS (Bug fixes): Mention implications of the "make distcheck" change.
This was introduced on 2008-07-22 by commit 9bb0d576, "tests: ensure
"make check" w/tainted build dir no longer impacts $HOME".

diff --git a/NEWS b/NEWS
index e30e7e5..a281838 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,13 @@ GNU coreutils NEWS                                    -*- outline -*-
   Specifically timeout now doesn't exit with an error message
   if its parent ignores CHLD signals. [bug introduced in coreutils-7.6]
 
+  a user running "make distcheck" in the coreutils source directory,
+  with TMPDIR unset or set to the name of a world-writable directory,
+  and with a malicious user on the same system
+  was vulnerable to arbitrary code execution
+  [bug introduced in coreutils-7.0]
+
+
 * Noteworthy changes in release 8.1 (2009-11-18) [stable]
 
 ** Bug fixes