This is to announce coreutils-8.2. This is a bug-fix-only "stable" release.
Not only does this release fix a few bugs in the tools, but it fixes two exploitable bugs in the build rules. One (the "make dist" vulnerability) was fixed by regenerating all Makefile.in files using a fixed version of automake[1]. That bug affects all package using automake-generated Makefile.in files. The other vulnerability (the "make distcheck" bug mentioned below) is specific to this package. You would be vulnerable only if you were to run "make distcheck" on a system with a local attacker. As usual, this release includes a ton of gnulib improvements (104 change-sets worth). Thanks to everyone who has been helping. [1] http://bugzilla.redhat.com/542609 http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html For a summary of changes and contributors, see: http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=v8.2 or run this command from a git-cloned coreutils directory: git shortlog v8.1..v8.2 To summarize the gnulib-related changes, run these commands from a git-cloned coreutils directory: git checkout v8.2 git submodule summary v8.1 Here are the compressed sources: http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.gz (11MB) http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.xz (4.3MB) Here are the GPG detached signatures[*]: http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.gz.sig http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.xz.sig To reduce load on the main server, use a mirror listed at: http://www.gnu.org/order/ftp.html [*] You can use either of the above signature files to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify coreutils-8.2.tar.gz.sig If that command fails because you don't have the required public key, then run this command to import it: gpg --keyserver keys.gnupg.net --recv-keys B9AB9A16 and rerun the `gpg --verify' command. This release was bootstrapped with the following tools: Autoconf 2.65.8-b4f0a Automake 1.11a Gnulib v0.0-2995-g63983c0 Bison 2.4.1.160-aa01 NEWS * Noteworthy changes in release 8.2 (2009-12-11) [stable] ** Bug fixes id's use of mgetgroups no longer writes beyond the end of a malloc'd buffer [bug introduced in coreutils-8.1] id no longer crashes on systems without supplementary group support. [bug introduced in coreutils-8.1] rm once again handles zero-length arguments properly. The rewrite to make rm use fts introduced a regression whereby a command like "rm a '' b" would fail to remove "a" and "b", due to the presence of the empty string argument. [bug introduced in coreutils-8.0] sort is now immune to the signal handling of its parent. Specifically sort now doesn't exit with an error message if it uses helper processes for compression and its parent ignores CHLD signals. [bug introduced in coreutils-6.9] tail without -f no longer access uninitialized memory [bug introduced in coreutils-7.6] timeout is now immune to the signal handling of its parent. Specifically timeout now doesn't exit with an error message if its parent ignores CHLD signals. [bug introduced in coreutils-7.6] a user running "make distcheck" in the coreutils source directory, with TMPDIR unset or set to the name of a world-writable directory, and with a malicious user on the same system was vulnerable to arbitrary code execution [bug introduced in coreutils-5.0]
pgpZ42MxXqwk3.pgp
Description: PGP signature
_______________________________________________ GNU Announcement mailing list <info-gnu@gnu.org> http://lists.gnu.org/mailman/listinfo/info-gnu
