Libvirt is vulnerable to an automake security hole; anyone that runs
'make distcheck' on any existing libvirt release tarball risks a local
exploit that can take advantage of world-writable permissions to inject
the operation of attacker-controlled code under the capabilities of the
developer testing the package. This security hole can be mitigated by
either avoiding the use of 'make distcheck', or by setting a restrictive
umask (such as 022) before running 'make distcheck'.
Since few people beyond developers tend to run 'make distcheck', I'm not
too worried about pushing out a new libvirt tarball any sooner than the
regular release cycle. But we should definitely upgrade to the latest
gnulib (it adds a syntax check to validate whether the vulnerability
still exists), and ensure that the release of libvirt 0.10.0, as well as
the next maintenance releases of v0.9.{6,11}-maint, have been built with
patched automake.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org