Red Hat Bugzilla – Bug 71760
m4 uses unofficial release
Last modified: 2007-04-18 12:45:37 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020605
Description of problem:
redhat m4 (1.4.1) seems to use a unreleased test version of m4.
Quoting one of my users:
Uh, oh. Just found out that `prerelease 1.4.1' is from 1994! It has
none of the syntax change features. What a stupid idea from RedHat to
use this, given that 1.4.1 neither exists on ftp.gnu.org (I haven't
checked alpha.gnu.org, but this may be empty anyway due to the
compromise of gnu.org last month) nor on Seindal's website -- someone
should send a bug report to RedHat IMHO. So please upgrade to 1.4o or
1.4ppre2 (both are from 2000).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I have looked at 1.4, the version shipped by Red Hat and the newest alpha
versions that have been released in january of 2000.
The current version in Red Hat is pretty close to the last release of m4-1.4
and has had good testing during the last several releases of Red Hat Linux.
Maybe we should downgrade this back to the 1.4 release.
Florian La Roche
Fedora Core 1, 2, 3 and devel also contains unofficial m4 release.
Currently lastest m4 release is 1.4.2, maybe it's good time (after
release freze) to update it in FC?
URL in spec file could be changed to:
m4 in Fedora devel tree contain only part of security patches.
Bellow patches aren't included:
* doc/m4.texinfo (Maketemp): Change maketemp to refer to a new,
empty file rather than to a nonexistent file.
This closes a common security hole.
* src/builtin.c (m4_maketemp): Implement the above, by using
mkstemp rather than mktemp. (trivial change)
They are fixed in 1.4.2.
m4-1.4.2-1 shoud appear in rawhide soon.
The maketemp changes are a change of behavior that should not
affect security of properly written programs (FWIW, POSIX requires
yet another, even more insecure behavior).
Thanks for the heads-up.