[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [savannah-help-public] failing upload of groff due CVE-2012-3386
From: |
Sergey Poznyakoff |
Subject: |
Re: [savannah-help-public] failing upload of groff due CVE-2012-3386 |
Date: |
Sat, 29 Dec 2012 16:07:17 +0200 |
Hi!
Karl Berry <address@hidden> ha escrit:
> Sergey, I couldn't find the current script you use at puszcza. Maybe
> you can answer Werner? (And please send me or the list the script,
> ok?
Well, what I use at puszcza is this:
case ${WYDAWCA_DIST_FILE} in
*.tar|*.tar.*)
if tar -xOf ${WYDAWCA_DIST_FILE} \
--wildcards --no-wildcards-match-slash '*/Makefile.in' | \
grep -q 'chmod a+w'; then
fmt <<_EOF_
Some of the Makefile.in's in ${WYDAWCA_DIST_FILE} contain a locally
exploitable race condition (see CVE-2012-3386, for more details).
Please, rebuild the package using a newer Automake (v. 1.11.6 / 1.12.2
or newer) and resubmit.
_EOF_
[...]
(the variable WYDAWCA_DIST_FILE keeps the name of the uploaded archive).
Notice, however, that Puszcza uses "wydawca"[1] to process uploads, whereas
Savane uses a perl script for the purpose. Nevertheless, the idea is
the same: the Makefile.in's are grepped for the suspicious pattern and
the upload is rejected if such is found.
Werner, I'd suggest to inspect your Makefile.in's for that string
('chmod a+w'). In automake-generated files it occurs in the following
context:
chmod -R a-w $(distdir); chmod a+w $(distdir)
Perhaps your Makefiles contain the same logic? In this case, changing
'a+w' to 'u+w' will both avoid the security hole and pacify the
upload software.
Regars,
Sergey
[1] http://www.gnu.org.ua/software/wydawca