diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/wydawca.rc | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/etc/wydawca.rc b/etc/wydawca.rc index d40cf35..08c51dd 100644 --- a/etc/wydawca.rc +++ b/etc/wydawca.rc @@ -278,8 +278,8 @@ The Project Submission Robot EOT; } -/* Make sure the distributed tarball does not contain a security hole - * described in CVE-2009-4029. Reject it, if it does. +/* Make sure the distributed tarball does not contain security vulnerabilities + * CVE-2012-3386 and CVE-2009-4029. Reject it, if it does. * See `info wydawca verification', for a description of check-script. * * Note: this script relies on GNU tar and grep. @@ -288,6 +288,22 @@ check-script <<EOT case ${WYDAWCA_DIST_FILE} in *.tar|*.tar.*) if tar -xOf ${WYDAWCA_DIST_FILE} --occurrence=1 \ + --wildcards --no-wildcards-match-slash '*/Makefile.in' | \ + grep -q 'chmod a+w'; then + fmt <<_EOF_ +Some of the Makefile.in's in ${WYDAWCA_DIST_FILE} contain a locally +exploitable race condition (see CVE-2012-3386[1], for more details). + +Please, rebuild your package using Automake v. 1.11.6 / 1.12.2 +or newer and resubmit. +_EOF_ + cat <<_EOF_ +-- +[1] https://security-tracker.debian.org/tracker/CVE-2012-3386 +_EOF_ + exit 1 + fi + if tar -xOf ${WYDAWCA_DIST_FILE} --occurrence=1 \ --wildcards --no-wildcards-match-slash '*/Makefile.in' | \ grep -q 'perm -777'; then fmt <<_EOF_ |