From 070b7fffe78bba3d711f93fbab5a1851c7e54031 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 14 Aug 2012 18:50:56 -0500 Subject: [PATCH] Import version as of 2012-08-14 for upload-ftp-v1.1.pl --- upload-ftp-v1.1.pl | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/upload-ftp-v1.1.pl b/upload-ftp-v1.1.pl index f10ed13..1268d49 100755 --- a/upload-ftp-v1.1.pl +++ b/upload-ftp-v1.1.pl @@ -858,7 +858,7 @@ sub read_directive_file { # Verify that this is really a new version of the file! if (exists($serials{$full_filename}) && ($serials{$full_filename} >= $epoch)) { flock(SERIALS,4); # Release lock - &fatal("Gpg signed upload older than/same timestamp as existing version - not allowed. In other words, the filenames for the triplet you have uploaded are an exact match for a triplet that has been uploaded in the past, and the directive file that you just uploaded has been signed before or at the same time as the directive file for the triplet that was uploaded earlier. Most likely, you are re-uploading an old triplet.",1); + &fatal("GPG signed upload older than/same timestamp as existing version - not allowed. In other words, the filenames for the triplet you have uploaded are an exact match for a triplet that has been uploaded in the past, and the directive file that you just uploaded has been signed before or at the same time as the directive file for the triplet that was uploaded earlier. Most likely, you are re-uploading an old triplet.",1); } $serials{$full_filename} = $epoch; @@ -973,24 +973,37 @@ sub check_files { close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop return if (!$found_makefile); # If it does, check inside them - ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029") if $DEBUG; - $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file --wildcards '*/Makefile.in'"; + ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029 and CVE-2012-3386") if $DEBUG; + $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file 'Makefile.in' --wildcards '*/Makefile.in' 2>/dev/null"; open (TAR, "$tar_cmd|") or &fatal("failed to run command: $tar_cmd",1); - my $found_bad = 0; + my $found_cve_2009_4029 = 0; + my $found_cve_2012_3386 = 0; + my $error_string = ''; while (defined (my $line = )) { if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) { - $found_bad = 1; - last; + $found_cve_2009_4029 = 1; + } + if ($line =~ /chmod a\+w \$\(distdir\)/) { + $found_cve_2012_3386 = 1; } } close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop - $found_bad - and &fatal("upload rejected: $upload_file contains a vulnerable " + + # Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point people to that version instead + # of 1.11.1, which fixes CVE-2009-4029. Ward, 2012-07-20 + $found_cve_2009_4029 and $error_string .= "upload rejected: $upload_file contains a vulnerable " . "Makefile.in (CVE-2009-4029);\n" - . "Regenerate it with automake 1.11.1 or newer.",1,'',3); + . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + + $found_cve_2012_3386 and $error_string .= "upload rejected: $upload_file contains a vulnerable " + . "Makefile.in (CVE-2012-3386);\n" + . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + + ($found_cve_2009_4029 or $found_cve_2012_3386) and &fatal($error_string,1,'',3); + } - ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029") if $DEBUG; + ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029 and CVE-2012-3386") if $DEBUG; } -- 2.25.1