bug#21951: [security] libtoolize behavior depends on parent directories

[Vincent Lefevre]

The libtoolize behavior depends on parent directories, which is
a security issue (in addition to surprising behavior) because
files may belong to other users, e.g. if the build is done in
some /tmp subdirectory. I don't know what the other users can
do exactly (in addition to make a build fail), though...

FYI, there was some confusion because we got errors like:

address@hidden:/tmp/mpfr$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force --warnings=all -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force --warnings=all
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --force-missing 
--warnings=all
configure.ac:275: installing './ar-lib'
configure.ac:270: installing './compile'
configure.ac:55: installing './config.guess'
configure.ac:55: installing './config.sub'
configure.ac:35: installing './install-sh'
configure.ac:486: error: required file './ltmain.sh' not found
[...]

After doing a diff of the libtoolize trace (sh -x ...) between
two different machines, I saw:

 + test -f ./install-sh
 + test -f ./install.sh
 + test -f ../install-sh
 + test -f ../install.sh
-+ auxdir=..
-+ break
-+ test -n ..
++ test -f ../../install-sh
++ test -f ../../install.sh
++ test -n 
++ auxdir=.

which was the cause of the error.

-- 
Vincent Lefèvre <address@hidden> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)