[libvirt] make syntax-check: [sc_vulnerable_makefile_CVE-2009-4029] Error 1

Kenneth Nagin NAGIN at il.ibm.com
Mon May 3 11:35:59 UTC 2010 

>Jim Meyering <jim at meyering.net> wrote on 03/05/2010 11:36:59:

> From: Jim Meyering <jim at meyering.net>
> To: Kenneth Nagin/Haifa/IBM at IBMIL
> Cc: Cole Robinson <crobinso at redhat.com>, list libvirt
<libvir-list at redhat.com>
> Date: 03/05/2010 11:37
> Subject: Re: [libvirt] make syntax-check:
> [sc_vulnerable_makefile_CVE-2009-4029] Error 1
>
> Kenneth Nagin wrote:
> >>Cole Robinson <crobinso at redhat.com> wrote on 30/04/2010 15:42:05:
> >
> >> From: Cole Robinson <crobinso at redhat.com>
> >> To: Kenneth Nagin/Haifa/IBM at IBMIL
> >> Cc: "Daniel P. Berrange" <berrange at redhat.com>, list libvirt
> >> <libvir-list at redhat.com>, Daniel Veillard <veillard at redhat.com>
> >> Date: 30/04/2010 15:42
> >> Subject: Re: [libvirt] (Resend) Live Migration with non-shared storage
> > for kvm
> >>
> >> Applying the patch (to last weeks checkout), there are some
> > compilerwarnings:
> >> make sure you configure with --enable-compiler-warnings=error. 'make
> >> syntax-check' also fails, so please address these.
> >
> > But I get this error message when compiling with 'make syntax-check':
> >
> > 2.14 unmarked_diagnostics
> > vulnerable_makefile_CVE-2009-4029
> > ./Makefile.in:1283:   -find $(distdir) -type d ! -perm -777 -exec
> chmod a+rwx
> > {} \; -o \
> > maint.mk: the above files are vulnerable; beware of running
> > "make dist*" rules, and upgrade to fixed automake
> > see http://bugzilla.redhat.com/542609 for details
> > make: *** [sc_vulnerable_makefile_CVE-2009-4029] Error 1
> >
> > This problem is unrelated to any changes that I made and appearantly
the
> > compile completes because make install works properly.
> >
> > Any suggestions on how to resolve this error message.
>
> That means you are using a version of automake
> that lacks the fix for the referenced bug.  Upgrading
> to a patched version of automake, and regenerating all
> Makefile.in files will fix it.
>
> If you run any make rule that runs that find command,
> you may expose yourself to a nasty exploit.
I upgrade automake, but now make syntac-check fails with because LIBTOOL is
undefined.  I followed the instructions in the error message but it didn't
help.

[root at hoover libvirt]# make syntax-check
 cd .
&& /bin/sh /gpfs/reservoir/nagin/workspace/libvirt_tip/libvirt/build-aux/missing
 --run automake-1.10 --gnu
gnulib/lib/Makefile.am:21: Libtool library used but `LIBTOOL' is undefined
gnulib/lib/Makefile.am:21:   The usual way to define `LIBTOOL' is to add
`AC_PROG_LIBTOOL'
gnulib/lib/Makefile.am:21:   to `configure.ac' and run `aclocal' and
`autoconf' again.
gnulib/lib/Makefile.am:21:   If `AC_PROG_LIBTOOL' is in `configure.ac',
make sure
gnulib/lib/Makefile.am:21:   its definition is in aclocal's search path.

regards
Kenneth Nagin

More information about the libvir-list mailing list