From a5d6b613abcf00586bed153a94d9e070b671c0fd Mon Sep 17 00:00:00 2001 From: Jacob Bachmeyer Date: Thu, 20 Oct 2022 22:31:13 -0500 Subject: [PATCH] Tidy check for known Automake CVEs While it is very unlikely that anyone will still use such an old version of Automake, the potential risk is significant, so we still check. --- gatekeeper.pl | 62 ++++++++++++++++++++++----------------------------- 1 file changed, 27 insertions(+), 35 deletions(-) diff --git a/gatekeeper.pl b/gatekeeper.pl index df11ee4..2c186b5 100755 --- a/gatekeeper.pl +++ b/gatekeeper.pl @@ -1698,18 +1698,18 @@ sub automake_tests { my $error_string = ''; - if (! -e $upload_file) { - return "Error: $upload_file not found\n\n"; - } + return "Error: $upload_file not found\n\n" + unless -e $upload_file; - if (! -r $upload_file) { - return "Error: $upload_file is unreadable\n\n"; - } + return "Error: $upload_file is unreadable\n\n" + unless -r $upload_file; # Reject an upload tarball if it contains a Makefile.in vulnerable # as described in CVE-2009-4029. # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131 if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) { + local *_; + # First check if the file contains any Makefile.in files ftp_syslog('debug',"DEBUG: " ."testing $upload_file for presence of Makefile.in") @@ -1718,18 +1718,15 @@ sub automake_tests { open TAR, '-|', @tar_cmd or return 'Error: failed to run command: '.join(' ',@tar_cmd)."\n\n"; my $found_makefile = 0; - while (defined (my $line = )) { - if ($line =~ /Makefile.in/i) { - $found_makefile = 1; - last; - } - } + while () { $found_makefile++, last if m/Makefile.in/i } close TAR; # We don't care about errors here; the pipe can cause # non-zero exit codes when tar is unhappy that it's asked # to stop - return $error_string - if (!$found_makefile); + return '' unless $found_makefile; + # If it does, check inside them + my $found_cve_2009_4029 = 0; + my $found_cve_2012_3386 = 0; ftp_syslog('debug',"DEBUG: found Makefile.in, " ."testing for CVE-2009-4029 and CVE-2012-3386") if DEBUG; @@ -1737,15 +1734,11 @@ sub automake_tests { qw(Makefile.in --wildcards */Makefile.in)); open TAR, '-|', @tar_cmd or return 'Error: failed to run command: '.join(' ',@tar_cmd)."\n\n"; - my $found_cve_2009_4029 = 0; - my $found_cve_2012_3386 = 0; - while (defined (my $line = )) { - if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) { - $found_cve_2009_4029 = 1; - } - if ($line =~ /chmod a\+w \$\(distdir\)/) { - $found_cve_2012_3386 = 1; - } + while () { + $found_cve_2009_4029 = 1 + if m/perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/; + $found_cve_2012_3386 = 1 + if m/chmod a\+w \$\(distdir\)/; } close TAR; # We don't care about errors here; the pipe can cause # non-zero exit codes when tar is unhappy that it's asked @@ -1754,25 +1747,25 @@ sub automake_tests { # Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point # people to that version instead of 1.11.1, which fixes # CVE-2009-4029. Ward, 2012-07-20 - $found_cve_2009_4029 - and $error_string .= "file rejected: $upload_file contains a vulnerable " - . "Makefile.in (CVE-2009-4029);\n" - . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + $error_string .= "file rejected: $upload_file contains a vulnerable " + . "Makefile.in (CVE-2009-4029);\n" + . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n" + if $found_cve_2009_4029; - $found_cve_2012_3386 - and $error_string .= "file rejected: $upload_file contains a vulnerable " - . "Makefile.in (CVE-2012-3386);\n" - . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + $error_string .= "file rejected: $upload_file contains a vulnerable " + . "Makefile.in (CVE-2012-3386);\n" + . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n" + if $found_cve_2012_3386; } + return $error_string; } sub check_vulnerabilities { my $upload_file = shift; - my $error_string = - automake_tests($upload_file); + my $error_string = automake_tests($upload_file); return $error_string; } @@ -1816,8 +1809,7 @@ sub check_files { $valid or fatal("gpg verify of upload file ($upload_file) failed",1); - my $error_string = - check_vulnerabilities($upload_file); + my $error_string = check_vulnerabilities($upload_file); fatal($error_string,1,'',3) if ($error_string ne ''); -- 2.25.1