[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
coreutils-8.2 released [stable]
|
From: |
Jim Meyering |
|
Subject: |
coreutils-8.2 released [stable] |
|
Date: |
Fri, 11 Dec 2009 18:11:51 +0100 |
This is to announce coreutils-8.2.
This is a bug-fix-only "stable" release.
Not only does this release fix a few bugs in the tools, but it fixes two
exploitable bugs in the build rules. One (the "make dist" vulnerability)
was fixed by regenerating all Makefile.in files using a fixed version
of automake[1]. That bug affects all package using automake-generated
Makefile.in files. The other vulnerability (the "make distcheck" bug
mentioned below) is specific to this package. You would be vulnerable
only if you were to run "make distcheck" on a system with a local attacker.
As usual, this release includes a ton of gnulib improvements
(104 change-sets worth). Thanks to everyone who has been helping.
[1] http://bugzilla.redhat.com/542609
http://lists.gnu.org/archive/html/automake/2009-12/msg00010.html
For a summary of changes and contributors, see:
http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=v8.2
or run this command from a git-cloned coreutils directory:
git shortlog v8.1..v8.2
To summarize the gnulib-related changes, run these commands from
a git-cloned coreutils directory:
git checkout v8.2
git submodule summary v8.1
Here are the compressed sources:
http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.gz (11MB)
http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.xz (4.3MB)
Here are the GPG detached signatures[*]:
http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.gz.sig
http://ftp.gnu.org/gnu/coreutils/coreutils-8.2.tar.xz.sig
To reduce load on the main server, use a mirror listed at:
http://www.gnu.org/order/ftp.html
[*] You can use either of the above signature files to verify that
the corresponding file (without the .sig suffix) is intact. First,
be sure to download both the .sig file and the corresponding tarball.
Then, run a command like this:
gpg --verify coreutils-8.2.tar.gz.sig
If that command fails because you don't have the required public key,
then run this command to import it:
gpg --keyserver keys.gnupg.net --recv-keys B9AB9A16
and rerun the `gpg --verify' command.
This release was bootstrapped with the following tools:
Autoconf 2.65.8-b4f0a
Automake 1.11a
Gnulib v0.0-2995-g63983c0
Bison 2.4.1.160-aa01
NEWS
* Noteworthy changes in release 8.2 (2009-12-11) [stable]
** Bug fixes
id's use of mgetgroups no longer writes beyond the end of a malloc'd buffer
[bug introduced in coreutils-8.1]
id no longer crashes on systems without supplementary group support.
[bug introduced in coreutils-8.1]
rm once again handles zero-length arguments properly.
The rewrite to make rm use fts introduced a regression whereby
a command like "rm a '' b" would fail to remove "a" and "b", due to
the presence of the empty string argument.
[bug introduced in coreutils-8.0]
sort is now immune to the signal handling of its parent.
Specifically sort now doesn't exit with an error message
if it uses helper processes for compression and its parent
ignores CHLD signals. [bug introduced in coreutils-6.9]
tail without -f no longer access uninitialized memory
[bug introduced in coreutils-7.6]
timeout is now immune to the signal handling of its parent.
Specifically timeout now doesn't exit with an error message
if its parent ignores CHLD signals. [bug introduced in coreutils-7.6]
a user running "make distcheck" in the coreutils source directory,
with TMPDIR unset or set to the name of a world-writable directory,
and with a malicious user on the same system
was vulnerable to arbitrary code execution
[bug introduced in coreutils-5.0]
pgp91cz7A8vzd.pgp
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- coreutils-8.2 released [stable],
Jim Meyering <=