From 5e6be58a77a10811ce9b27eedc754eee1ce745e6 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 11 Feb 2010 10:52:39 -0600 Subject: [PATCH] Import version as of 2010-02-11 for upload-ftp-v1.1.pl --- upload-ftp-v1.1.pl | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/upload-ftp-v1.1.pl b/upload-ftp-v1.1.pl index 1e22faf..3360ddb 100755 --- a/upload-ftp-v1.1.pl +++ b/upload-ftp-v1.1.pl @@ -489,7 +489,7 @@ sub keyring_file { my $tmp = $directory; while (1) { if (-e "$package_config_base/$tmp/pubring.gpg") { - ftp_syslog('debug', "($log_style) DEBUG: " . "found $package_config_base/$tmp/pubring.gpg") if $DEBUG; + ftp_syslog('debug', "($log_style) DEBUG: " . "found $package_config_base/$tmp/pubring.gpg") if $DEBUG; push(@pubrings,"$package_config_base/$tmp/pubring.gpg"); } my $tmp2 = $tmp; @@ -903,8 +903,8 @@ sub check_files { # as described in CVE-2009-4029. # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131 if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) { - ftp_syslog('debug', "($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $DEBUG; # First check if the file contains any Makefile.in files + ftp_syslog('debug', "($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $DEBUG; my $tar_cmd = "/bin/tar -tf $upload_file"; open (TAR, "$tar_cmd|") or &fatal("failed to run command: $tar_cmd",1); @@ -915,25 +915,27 @@ sub check_files { last; } } + close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop return if (!$found_makefile); # If it does, check inside them - ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029") if $DEBUG; + ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029") if $DEBUG; $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file --wildcards '*/Makefile.in'"; open (TAR, "$tar_cmd|") or &fatal("failed to run command: $tar_cmd",1); my $found_bad = 0; while (defined (my $line = )) { - $line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/ - and $found_bad = 1; + if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) { + $found_bad = 1; + last; + } } - close TAR - or &fatal("failed to close pipe to '$tar_cmd'",1); + close TAR; # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop $found_bad and &fatal("upload rejected: $upload_file contains a vulnerable " . "Makefile.in (CVE-2009-4029);\n" . "Regenerate it with automake 1.11.1 or newer.",1,'',3); } - ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029") if $DEBUG; + ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029") if $DEBUG; } -- 2.25.1