Bug 71760 - m4 uses unofficial release
m4 uses unofficial release
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: m4 (Show other bugs)
7.3
All Linux
medium Severity high
: ---
: ---
Assigned To: Miloslav Trmač
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-08-18 06:57 EDT by Han-Wen Nienhuys
Modified: 2007-04-18 12:45 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.4.2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-12 14:22:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Han-Wen Nienhuys 2002-08-18 06:57:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020605

Description of problem:
redhat m4 (1.4.1) seems to use a unreleased test version of m4.
Quoting one of my users:
 
Uh, oh.  Just found out that `prerelease 1.4.1' is from 1994!  It has
none of the syntax change features.  What a stupid idea from RedHat to
use this, given that 1.4.1 neither exists on ftp.gnu.org (I haven't
checked alpha.gnu.org, but this may be empty anyway due to the
compromise of gnu.org last month) nor on Seindal's website -- someone
should send a bug report to RedHat IMHO.  So please upgrade to 1.4o or
1.4ppre2 (both are from 2000).


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3. (na)
	

Additional info:
Comment 1 Florian La Roche 2002-08-21 12:31:00 EDT
I have looked at 1.4, the version shipped by Red Hat and the newest alpha
versions that have been released in january of 2000.

The current version in Red Hat is pretty close to the last release of m4-1.4
and has had good testing during the last several releases of Red Hat Linux.

Maybe we should downgrade this back to the 1.4 release.

Thanks,

Florian La Roche

Comment 2 Marcin Garski 2004-11-18 14:10:22 EST
Fedora Core 1, 2, 3 and devel also contains unofficial m4 release.
Currently lastest m4 release is 1.4.2, maybe it's good time (after
release freze) to update it in FC?
URL in spec file could be changed to:
http://www.gnu.org/software/m4/
Comment 3 Marcin Garski 2004-12-12 10:12:19 EST
m4 in Fedora devel tree contain only part of security patches.

Bellow patches aren't included:
* doc/m4.texinfo (Maketemp): Change maketemp to refer to a new,
        empty file rather than to a nonexistent file.
       This closes a common security hole.
        * src/builtin.c (m4_maketemp): Implement the above, by using
        mkstemp rather than mktemp.  (trivial change)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84416

They are fixed in 1.4.2.
Comment 5 Miloslav Trmač 2004-12-12 14:22:40 EST
m4-1.4.2-1 shoud appear in rawhide soon.

The maketemp changes are a change of behavior that should not
affect security of properly written programs (FWIW, POSIX requires
yet another, even more insecure behavior).

Thanks for the heads-up.

Note You need to log in before you can comment on or make changes to this bug.