--- automake-1.10/NEWS.orig 2012-07-10 06:06:11.262965208 -0700

+++ automake-1.10/NEWS 2012-07-10 06:06:49.380882833 -0700

@@ -128,6 +128,15 @@

flavors, including optional formats such as dvi, ps, or info even

when `no-installinfo' is used.)

+* SECURITY VULNERABILITIES!

+

+ - The recipe of the 'distcheck' no longer grants anymore temporary

+ world-wide write permissions on the extracted distdir. Even if such

+ rights were only granted for a vanishingly small time window, the

+ implied race condition proved to be enough to allow a local attacker

+ to run arbitrary code with the privileges of the user running "make

+ distcheck". This is CVE-2012-3386.

+

* Miscellaneous changes:

- Automake no longer complains if input files for AC_CONFIG_FILES

--- automake-1.10/lib/am/distdir.am.orig 2012-07-10 06:08:03.395311756 -0700

+++ automake-1.10/lib/am/distdir.am 2012-07-10 06:08:34.847417147 -0700

@@ -327,7 +327,7 @@

## Make the new source tree read-only. Distributions ought to work in

## this case. However, make the top-level directory writable so we

## can make our new subdirs.

- chmod -R a-w $(distdir); chmod a+w $(distdir)

+ chmod -R a-w $(distdir); chmod u+w $(distdir)

mkdir $(distdir)/_build

mkdir $(distdir)/_inst

## Undo the write access.