From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020605 Description of problem: redhat m4 (1.4.1) seems to use a unreleased test version of m4. Quoting one of my users: Uh, oh. Just found out that `prerelease 1.4.1' is from 1994! It has none of the syntax change features. What a stupid idea from RedHat to use this, given that 1.4.1 neither exists on ftp.gnu.org (I haven't checked alpha.gnu.org, but this may be empty anyway due to the compromise of gnu.org last month) nor on Seindal's website -- someone should send a bug report to RedHat IMHO. So please upgrade to 1.4o or 1.4ppre2 (both are from 2000). Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. 2. 3. (na) Additional info:
I have looked at 1.4, the version shipped by Red Hat and the newest alpha versions that have been released in january of 2000. The current version in Red Hat is pretty close to the last release of m4-1.4 and has had good testing during the last several releases of Red Hat Linux. Maybe we should downgrade this back to the 1.4 release. Thanks, Florian La Roche
Fedora Core 1, 2, 3 and devel also contains unofficial m4 release. Currently lastest m4 release is 1.4.2, maybe it's good time (after release freze) to update it in FC? URL in spec file could be changed to: http://www.gnu.org/software/m4/
m4 in Fedora devel tree contain only part of security patches. Bellow patches aren't included: * doc/m4.texinfo (Maketemp): Change maketemp to refer to a new, empty file rather than to a nonexistent file. This closes a common security hole. * src/builtin.c (m4_maketemp): Implement the above, by using mkstemp rather than mktemp. (trivial change) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84416 They are fixed in 1.4.2.
m4-1.4.2-1 shoud appear in rawhide soon. The maketemp changes are a change of behavior that should not affect security of properly written programs (FWIW, POSIX requires yet another, even more insecure behavior). Thanks for the heads-up.