--- automake-1.10.3/NEWS.orig
+++ automake-1.10.3/NEWS
@@ -274,6 +274,15 @@
     flavors, including optional formats such as dvi, ps, or info even
     when `no-installinfo' is used.)
 
+* SECURITY VULNERABILITIES!
+
+  - The recipe of the 'distcheck' no longer grants anymore temporary
+    world-wide write permissions on the extracted distdir.  Even if such
+    rights were only granted for a vanishingly small time window, the
+    implied race condition proved to be enough to allow a local attacker
+    to run arbitrary code with the privileges of the user running "make
+    distcheck".  This is CVE-2012-3386.
+
 * Miscellaneous changes:
 
   - Automake no longer complains if input files for AC_CONFIG_FILES
--- automake-1.10.3/lib/am/distdir.am.orig
+++ automake-1.10.3/lib/am/distdir.am
@@ -362,7 +362,7 @@
 ## Make the new source tree read-only.  Distributions ought to work in
 ## this case.  However, make the top-level directory writable so we
 ## can make our new subdirs.
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	chmod -R a-w $(distdir); chmod u+w $(distdir)
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 ## Undo the write access.