From acea523f51898d8da5e12742ed6ff15f6a2ffcbf Mon Sep 17 00:00:00 2001 From: Jacob Bachmeyer Date: Wed, 5 Oct 2022 23:20:00 -0500 Subject: [PATCH] Merge CheckVulnerabilities module into main script --- CheckVulnerabilities.pm | 91 ----------------------------------------- gatekeeper.pl | 79 +++++++++++++++++++++++++++++++++-- 2 files changed, 75 insertions(+), 95 deletions(-) delete mode 100644 CheckVulnerabilities.pm diff --git a/CheckVulnerabilities.pm b/CheckVulnerabilities.pm deleted file mode 100644 index 478df99..0000000 --- a/CheckVulnerabilities.pm +++ /dev/null @@ -1,91 +0,0 @@ -package CheckVulnerabilities; - -my $NAME = 'test-vulnerabilities.pl'; -my $DATE = '2013/01/23 20:26:29'; -my $AUTHORS = "Jim Meyering , Ward Vandewege "; -my $COPYRIGHT = "2013"; -my $LICENSE = "GPLv3 or later - http://www.fsf.org/licenses/gpl.txt"; -my $URL = "http://www.gnu.org/prep/maintain/html_node/Automated-FTP-Uploads.html"; - -use strict; -use Exporter; -use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); - -$VERSION = 1.00; -@ISA = qw(Exporter); -@EXPORT = (); -@EXPORT_OK = qw(check_vulnerabilities); -%EXPORT_TAGS = ( DEFAULT => [qw(&check_vulnerabilities)] ); - -sub check_vulnerabilities { - my ($upload_file,$log_style,$debug) = @_; - - my ($error_string, $error_log_ref) = &automake_tests($upload_file,$log_style,$debug); - - return ($error_string, $error_log_ref); -} - -sub automake_tests { - my ($upload_file,$log_style,$debug) = @_; - - my $error_string = ''; - my @debug_log; - - if (! -e $upload_file) { - return("Error: $upload_file not found\n\n", \@debug_log); - } - - if (! -r $upload_file) { - return("Error: $upload_file is unreadable\n\n", \@debug_log); - } - - # Reject an upload tarball if it contains a Makefile.in vulnerable - # as described in CVE-2009-4029. - # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131 - if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) { - # First check if the file contains any Makefile.in files - push(@debug_log,"($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $debug; - my $tar_cmd = "/bin/tar -tf $upload_file"; - open (TAR, "$tar_cmd|") - or return("Error: failed to run command: $tar_cmd\n\n", \@debug_log); - my $found_makefile = 0; - while (defined (my $line = )) { - if ($line =~ /Makefile.in/i) { - $found_makefile = 1; - last; - } - } - close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop - return ($error_string, \@debug_log) if (!$found_makefile); - # If it does, check inside them - push(@debug_log,"($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029 and CVE-2012-3386") if $debug; - $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file 'Makefile.in' --wildcards '*/Makefile.in' 2>/dev/null"; - open (TAR, "$tar_cmd|") - or return("Error: failed to run command: $tar_cmd\n\n", \@debug_log); - my $found_cve_2009_4029 = 0; - my $found_cve_2012_3386 = 0; - while (defined (my $line = )) { - if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) { - $found_cve_2009_4029 = 1; - } - if ($line =~ /chmod a\+w \$\(distdir\)/) { - $found_cve_2012_3386 = 1; - } - } - close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop - - # Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point people to that version instead - # of 1.11.1, which fixes CVE-2009-4029. Ward, 2012-07-20 - $found_cve_2009_4029 and $error_string .= "file rejected: $upload_file contains a vulnerable " - . "Makefile.in (CVE-2009-4029);\n" - . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; - - $found_cve_2012_3386 and $error_string .= "file rejected: $upload_file contains a vulnerable " - . "Makefile.in (CVE-2012-3386);\n" - . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; - - } - return ($error_string, \@debug_log); -} - -1; diff --git a/gatekeeper.pl b/gatekeeper.pl index c32dabc..16aa249 100755 --- a/gatekeeper.pl +++ b/gatekeeper.pl @@ -97,6 +97,10 @@ # Imported into Git by Jacob Bachmeyer (jcb@gnu.org), July 2020 # Further changes are tracked in Git. +# The CheckVulnerabilities module written by Jim Meyering +# and Ward Vandewege with internal +# timestamp 2013/01/23 20:26:29 was merged into this main script. + # # - Message reporting @@ -157,10 +161,6 @@ use Cwd; use Email::MessageID; umask (022); -use lib '.'; -use CheckVulnerabilities qw(&check_vulnerabilities); -no lib '.'; - BEGIN { $ENV{'LC_ALL'} = 'C'; # do not think about multibyte characters @@ -1206,6 +1206,77 @@ sub read_directive_file { return 0; } +sub automake_tests { + my ($upload_file,$log_style,$debug) = @_; + + my $error_string = ''; + my @debug_log; + + if (! -e $upload_file) { + return("Error: $upload_file not found\n\n", \@debug_log); + } + + if (! -r $upload_file) { + return("Error: $upload_file is unreadable\n\n", \@debug_log); + } + + # Reject an upload tarball if it contains a Makefile.in vulnerable + # as described in CVE-2009-4029. + # http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131 + if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) { + # First check if the file contains any Makefile.in files + push(@debug_log,"($log_style) DEBUG: testing $upload_file for presence of Makefile.in") if $debug; + my $tar_cmd = "/bin/tar -tf $upload_file"; + open (TAR, "$tar_cmd|") + or return("Error: failed to run command: $tar_cmd\n\n", \@debug_log); + my $found_makefile = 0; + while (defined (my $line = )) { + if ($line =~ /Makefile.in/i) { + $found_makefile = 1; + last; + } + } + close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop + return ($error_string, \@debug_log) if (!$found_makefile); + # If it does, check inside them + push(@debug_log,"($log_style) DEBUG: found Makefile.in, testing for CVE-2009-4029 and CVE-2012-3386") if $debug; + $tar_cmd = "/bin/tar --to-stdout -x -f $upload_file 'Makefile.in' --wildcards '*/Makefile.in' 2>/dev/null"; + open (TAR, "$tar_cmd|") + or return("Error: failed to run command: $tar_cmd\n\n", \@debug_log); + my $found_cve_2009_4029 = 0; + my $found_cve_2012_3386 = 0; + while (defined (my $line = )) { + if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) { + $found_cve_2009_4029 = 1; + } + if ($line =~ /chmod a\+w \$\(distdir\)/) { + $found_cve_2012_3386 = 1; + } + } + close(TAR); # We don't care about errors here; the pipe can cause non-zero exit codes when tar is unhappy that it's asked to stop + + # Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point people to that version instead + # of 1.11.1, which fixes CVE-2009-4029. Ward, 2012-07-20 + $found_cve_2009_4029 and $error_string .= "file rejected: $upload_file contains a vulnerable " + . "Makefile.in (CVE-2009-4029);\n" + . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + + $found_cve_2012_3386 and $error_string .= "file rejected: $upload_file contains a vulnerable " + . "Makefile.in (CVE-2012-3386);\n" + . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"; + + } + return ($error_string, \@debug_log); +} + +sub check_vulnerabilities { + my ($upload_file,$log_style,$debug) = @_; + + my ($error_string, $error_log_ref) = &automake_tests($upload_file,$log_style,$debug); + + return ($error_string, $error_log_ref); +} + # # - [AZ] Authorization -- 2.25.1