From: unknown <sysadmin@gnu.org>
Date: Thu, 11 Feb 2010 15:19:25 +0000 (-0600)
Subject: Import version as of 2010-02-11 for upload-ftp-v1.1.pl
X-Git-Tag: 20200730__import~35
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=4836071766e2fe3f5a592a5526a07a58113203b3;p=gatekeeper.git

Import version as of 2010-02-11 for upload-ftp-v1.1.pl
---

diff --git a/upload-ftp-v1.1.pl b/upload-ftp-v1.1.pl
index 23a0c7c..1e22faf 100755
--- a/upload-ftp-v1.1.pl
+++ b/upload-ftp-v1.1.pl
@@ -1,16 +1,27 @@
-#!/usr/local/bin/perl -Tw
+#!/usr/bin/perl -Tw
+
 #
 # Take files that have been uploaded via ftp and move them into place on
 # ftp.gnu.org.
 #
-# This file is free software; as a special exception the author gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
+
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
 #
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
-# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+#
+# Short overview
+#
 # We expect to find (1) a directive file, specifying the directory to
 # store into (syntax details later); (2) the actual file to be
 # distributed (no signature); (3) a detached signature for (2).
@@ -76,7 +87,7 @@
 # Additional changes by Paul Fisher (rao@gnu.org), November 2003
 # Additional functionality (v1.1) by Ward Vandewege (ward@gnu.org), May 2004
 # Additional changes (syslog) by Justin Baugh (baughj@gnu.org), August 2005
-# Additional testing and bugfixes by Ward Vandewege (ward@gnu.org), Apr 2006
+# Additional testing and bugfixes by Ward Vandewege (ward@gnu.org), Apr 2006 - Jan 2010
 
 use strict;
 use Net::SMTP;
@@ -96,10 +107,10 @@ my $V1_COMPAT_ALLOWED = 1;
 
 my $NAME = 'upload-ftp-v1.1.pl';
 my $VERSION = '1.1'; # This is the protocol version
-my $DATE = '2008/06/23 12:02:44';
-my $AUTHOR = "the Free Software Foundation <sysadmin\@gnu.org>";
-my $COPYRIGHT = "2003-2008";
-my $LICENSE = "GPL - http://www.fsf.org/licenses/gpl.txt";
+my $DATE = '2010/01/26 16:13:29';
+my $AUTHOR = "Free Software Foundation <sysadmin\@gnu.org>";
+my $COPYRIGHT = "2003-2010";
+my $LICENSE = "GPLv3 or later - http://www.fsf.org/licenses/gpl.txt";
 my $URL = "http://www.gnu.org/prep/maintain/html_node/Automated-FTP-Uploads.html";
 
 my $style = '';
@@ -478,7 +489,7 @@ sub keyring_file {
   my $tmp = $directory;
   while (1) {
   	if (-e "$package_config_base/$tmp/pubring.gpg") {
-			ftp_syslog('debug', "($log_style) DEBUG: " . "$package_config_base/$tmp/pubring.gpg") if $DEBUG;
+			ftp_syslog('debug', "($log_style) DEBUG: " . "found $package_config_base/$tmp/pubring.gpg") if $DEBUG;
       push(@pubrings,"$package_config_base/$tmp/pubring.gpg");
 	  }
 		my $tmp2 = $tmp;
@@ -753,8 +764,6 @@ sub read_directive_file {
   # than the one for the last file that was uploaded
   # This is only relevant when a 'filename' directive is present, hence the
   # test of the $filename_required variable.
-	# WHY IS THIS ONLY RELEVANT WHEN WE HAVE A 'filename' DIRECTIVE? SHOULD WE
-	# NOT ALWAYS CHECK THIS?  WVW, 2006-04-07
   if (($retval =~ /Signature made (.*?) using/) && ($filename_required)) {
     my $timestr = $1;
     # If the time/date string starts with a weekday (e.g. "Wed Apr 28 16:40:03 2004 EDT"),
@@ -894,6 +903,7 @@ sub check_files {
   # as described in CVE-2009-4029.
   # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
   if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) {
+		ftp_syslog('debug', "($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $DEBUG;
     # First check if the file contains any Makefile.in files
     my $tar_cmd = "/bin/tar -tf $upload_file";
     open (TAR, "$tar_cmd|")
@@ -907,12 +917,13 @@ sub check_files {
     }
     return if (!$found_makefile);
     # If it does, check inside them
+		ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029") if $DEBUG;
     $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file --wildcards '*/Makefile.in'";
     open (TAR, "$tar_cmd|")
       or &fatal("failed to run command: $tar_cmd",1);
     my $found_bad = 0;
     while (defined (my $line = <TAR>)) {
-      $line =~ /-perm -777 -exec chmod/
+      $line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/
 	and $found_bad = 1;
     }
     close TAR
@@ -922,6 +933,7 @@ sub check_files {
 		 . "Makefile.in (CVE-2009-4029);\n"
 		 . "Regenerate it with automake 1.11.1 or newer.",1,'',3);
   }
+	ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029") if $DEBUG;
 }