From a256731ee91380cd3d5b4e60487b28135a45d772 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 21 Mar 2013 16:50:13 -0500 Subject: [PATCH] Import version as of 2013-03-21 for upload-ftp-v1.2.pl --- upload-ftp-v1.2.pl | 73 +++++++++++++--------------------------------- 1 file changed, 20 insertions(+), 53 deletions(-) diff --git a/upload-ftp-v1.2.pl b/upload-ftp-v1.2.pl index 538cb49..0758683 100755 --- a/upload-ftp-v1.2.pl +++ b/upload-ftp-v1.2.pl @@ -87,7 +87,7 @@ # Additional changes by Paul Fisher (rao@gnu.org), November 2003 # Additional functionality (v1.1) by Ward Vandewege (ward@gnu.org), May 2004 # Additional changes (syslog) by Justin Baugh (baughj@gnu.org), August 2005 -# Additional testing and bugfixes by Ward Vandewege (ward@gnu.org), Apr 2006 - Jan 2010 +# Additional testing, bugfixes and functionality by Ward Vandewege (ward@gnu.org), Apr 2006 - Jan 2013 use strict; use Net::SMTP; @@ -108,11 +108,11 @@ delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; my $V1_COMPAT_ALLOWED = 0; -my $NAME = 'upload-ftp-v1.1.pl'; +my $NAME = 'upload-ftp-v1.2.pl'; my $VERSION = '1.2'; # This is the protocol version -my $DATE = '2012/09/21 10:18:29'; -my $AUTHOR = "Free Software Foundation "; -my $COPYRIGHT = "2003-2012"; +my $DATE = '2013/01/23 20:26:29'; +my $AUTHORS = "Free Software Foundation "; +my $COPYRIGHT = "2003-2013"; my $LICENSE = "GPLv3 or later - http://www.fsf.org/licenses/gpl.txt"; my $URL = "http://www.gnu.org/prep/maintain/html_node/Automated-FTP-Uploads.html"; @@ -263,7 +263,7 @@ sub usage_information { sub version_information { print "\nThis is $NAME protocol version $VERSION ($DATE)\n"; - print "Copyright (c) $COPYRIGHT by $AUTHOR\n"; + print "Copyright (c) $COPYRIGHT by $AUTHORS\n"; print "License: $LICENSE\n"; print "More information at $URL\n\n"; exit; @@ -584,7 +584,10 @@ sub email_addresses { sub parse_directory_line { my $tainted_val = shift; my $directive_file_contents = shift; - $tainted_val =~ s/ *$//; # Throw away trailing whitespace + $tainted_val =~ s/\r\n/\n/g; # deal with dos-based line endings... + $tainted_val =~ s/\s+$/\n/; # Some people like to put spaces after their commands + $tainted_val =~ s/^\s+//; # Or even *before* their commands + # $do_not_fail is set to 1 if this sub is called as a last resort in an attempt to find *someone* to report an error to. # When it is set, this sub will not die with &fatal. my $do_not_fail = shift; @@ -991,55 +994,19 @@ sub check_files { $valid or &fatal("gpg verify of upload file ($upload_file) failed",1); - # Reject an upload tarball if it contains a Makefile.in vulnerable - # as described in CVE-2009-4029. - # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131 - if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) { - # First check if the file contains any Makefile.in files - ftp_syslog('debug', "($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $DEBUG; - my $tar_cmd = "/bin/tar -tf $upload_file"; - open (TAR, "$tar_cmd|") - or &fatal("failed to run command: $tar_cmd",1); - my $found_makefile = 0; - while (defined (my $line = )) { - if ($line =~ /Makefile.in/i) { - $found_makefile = 1; - last; - } - } - close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop - return if (!$found_makefile); - # If it does, check inside them - ftp_syslog('debug', "($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029 and CVE-2012-3386") if $DEBUG; - $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file 'Makefile.in' --wildcards '*/Makefile.in' 2>/dev/null"; - open (TAR, "$tar_cmd|") - or &fatal("failed to run command: $tar_cmd",1); - my $found_cve_2009_4029 = 0; - my $found_cve_2012_3386 = 0; - my $error_string = ''; - while (defined (my $line = )) { - if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) { - $found_cve_2009_4029 = 1; - } - if ($line =~ /chmod a\+w \$\(distdir\)/) { - $found_cve_2012_3386 = 1; - } - } - close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop - - # Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point people to that version instead - # of 1.11.1, which fixes CVE-2009-4029. Ward, 2012-07-20 - $found_cve_2009_4029 and $error_string .= "upload rejected: $upload_file contains a vulnerable " - . "Makefile.in (CVE-2009-4029);\n" - . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + use lib '.'; + use CheckVulnerabilities qw(&check_vulnerabilities); + my ($error_string, $error_log_ref) = check_vulnerabilities($upload_file,$log_style,$DEBUG); - $found_cve_2012_3386 and $error_string .= "upload rejected: $upload_file contains a vulnerable " - . "Makefile.in (CVE-2012-3386);\n" - . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + my @error_log = @$error_log_ref; + if ($DEBUG and $#error_log > -1) { + foreach (@error_log) { + ftp_syslog('debug', $_); + } + } - ($found_cve_2009_4029 or $found_cve_2012_3386) and &fatal($error_string,1,'',3); + &fatal($error_string,1,'',3) if ($error_string ne ''); - } ftp_syslog('debug', "($log_style) DEBUG: tested negative for CVE-2009-4029 and CVE-2012-3386") if $DEBUG; } -- 2.25.1