From: Jim Meyering <meyering@redhat.com>
Date: Wed, 9 Dec 2009 12:04:46 +0000 (+0100)
Subject: doc: NEWS: mention the "make distcheck" vulnerability
X-Git-Tag: v8.2~7
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=23c0cecaa8ca102292fe33d771c8cd2220249b59;p=platform%2Fupstream%2Fcoreutils.git

doc: NEWS: mention the "make distcheck" vulnerability

* NEWS (Bug fixes): Mention implications of the "make distcheck" change.
This was introduced on 2008-07-22 by commit 9bb0d576, "tests: ensure
"make check" w/tainted build dir no longer impacts $HOME".
---

diff --git a/NEWS b/NEWS
index e30e7e5..a281838 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,13 @@ GNU coreutils NEWS                                    -*- outline -*-
   Specifically timeout now doesn't exit with an error message
   if its parent ignores CHLD signals. [bug introduced in coreutils-7.6]
 
+  a user running "make distcheck" in the coreutils source directory,
+  with TMPDIR unset or set to the name of a world-writable directory,
+  and with a malicious user on the same system
+  was vulnerable to arbitrary code execution
+  [bug introduced in coreutils-7.0]
+
+
 * Noteworthy changes in release 8.1 (2009-11-18) [stable]
 
 ** Bug fixes