Comment 1 for bug 1023960

Description of problem:
Stefano Lattarini discovered a vulnerability in automake
that is much like the one that prompted CVE-2009-4029:
automake's distcheck rule makes distdir briefly world-writable.
Stefano also wrote the patch below.

This bug is slightly more limited because it affects only the
"make distcheck" rule, while CVE-2009-4029 affected all dist* rules.

The point is that with these temporarily-relaxed directory permissions,
an attacker can cause the person running "make distcheck" in an attacker-
accessible (o+rx, or possibly only o+x) directory to run arbitrary code.

Version-Release number of selected component (if applicable):
  everything prior to v1.12.1-214-g15b8b62

How reproducible:
The directory is world-writable only briefly, but the flaw is
exploitable.