Bug 71760

Summary: m4 uses unofficial release
Product: [Retired] Red Hat Linux Reporter: Han-Wen Nienhuys <hanwen>
Component: m4Assignee: Miloslav Trmač <mitr>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 7.3CC: mgarski
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.4.2-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-12 19:22:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Han-Wen Nienhuys 2002-08-18 10:57:24 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020605

Description of problem:
redhat m4 (1.4.1) seems to use a unreleased test version of m4.
Quoting one of my users:
 
Uh, oh.  Just found out that `prerelease 1.4.1' is from 1994!  It has
none of the syntax change features.  What a stupid idea from RedHat to
use this, given that 1.4.1 neither exists on ftp.gnu.org (I haven't
checked alpha.gnu.org, but this may be empty anyway due to the
compromise of gnu.org last month) nor on Seindal's website -- someone
should send a bug report to RedHat IMHO.  So please upgrade to 1.4o or
1.4ppre2 (both are from 2000).


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3. (na)
	

Additional info:
Comment 1 Florian La Roche 2002-08-21 16:31:00 UTC 
I have looked at 1.4, the version shipped by Red Hat and the newest alpha
versions that have been released in january of 2000.

The current version in Red Hat is pretty close to the last release of m4-1.4
and has had good testing during the last several releases of Red Hat Linux.

Maybe we should downgrade this back to the 1.4 release.

Thanks,

Florian La Roche
Comment 2 Marcin Garski 2004-11-18 19:10:22 UTC 
Fedora Core 1, 2, 3 and devel also contains unofficial m4 release.
Currently lastest m4 release is 1.4.2, maybe it's good time (after
release freze) to update it in FC?
URL in spec file could be changed to:
http://www.gnu.org/software/m4/
Comment 3 Marcin Garski 2004-12-12 15:12:19 UTC 
m4 in Fedora devel tree contain only part of security patches.

Bellow patches aren't included:
* doc/m4.texinfo (Maketemp): Change maketemp to refer to a new,
        empty file rather than to a nonexistent file.
       This closes a common security hole.
        * src/builtin.c (m4_maketemp): Implement the above, by using
        mkstemp rather than mktemp.  (trivial change)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84416

They are fixed in 1.4.2.
Comment 5 Miloslav Trmač 2004-12-12 19:22:40 UTC 
m4-1.4.2-1 shoud appear in rawhide soon.

The maketemp changes are a change of behavior that should not
affect security of properly written programs (FWIW, POSIX requires
yet another, even more insecure behavior).

Thanks for the heads-up.