If you run "make distcheck" (the rule generated by automake), be sure that it is safe. Until a few days ago, running that rule in a directory readable by others would put you at risk from a local attacker. It can be exploited reliably. It's fixed in the latest, automake-12.2 http://bugzilla.redhat.com/CVE-2012-3386 http://savannah.gnu.org/forum/forum.php?forum_id=7294 One work-around is to ensure that your build directory is not readable by the potential attacker. A more general (but more onerous) approach is to use a restrictive umask, e.g. by adding "umask 077" to some shell start-up file. But don't do that lightly, since there are still plenty of tools that are unprepared for that. Personally, I've had a umask of 077 for the last few years because I'm rather paranoid, but it has also caused trouble, and I've had to learn when to invoke tools in a subshell like this (umask 022; run some tool) especially as root. To see if you have a vulnerable Makefile.in file, run this: find . -name Makefile.in|xargs grep chmod.a+w it usually finds problems in the top-level Makefile.in. If you see any matching line, say like this, ./Makefile.in: chmod -R a-w $(distdir); chmod a+w $(distdir) then that rule is vulnerable: install a patched automake and/or just change a+w to u+w on that line. Note that just installing a fixed automake is not enough. You must also rerun it, in order to regenerate each offending Makefile.in. This means that if you ever unpack an old tarball and run "make distcheck" using that, you may be vulnerable. If you're about to make a release, be sure to regenerate your Makefile.in files with a fixed automake before doing that so that people who use your release tarball are not vulnerable. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel