[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-402
From: |
Jim Meyering |
Subject: |
[PATCH] maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix |
Date: |
Mon, 09 Jul 2012 16:21:00 +0200 |
I noticed that the CVE-2009-4029-detecting rule wasn't working.
Surprised to find that *two* bugs were behind the failure.
>From b38d59184505f6119a5ffbf3b4a068fd7a9b8fe8 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Mon, 9 Jul 2012 16:11:34 +0200
Subject: [PATCH] maint.mk: _sc_search_regexp,
sc_vulnerable_makefile_CVE-2009-4029: fix
Bugs in both of those conspired to make the
sc_vulnerable_makefile_CVE-2009-4029 rule 99% useless.
_sc_search_regexp's handling of non-empty $in_files would filter
out any offending file names. sc_vulnerable_makefile_CVE-2009-4029's
choice of in_files value meant there would be no match in most
projects, due to the presence of two or more Makefile.in files.
* top/maint.mk (_sc_search_regexp) [in_vc_files,in_files]: Clarify.
Fix a bug in how a non-empty $$in_files was processed:
(sc_vulnerable_makefile_CVE-2009-4029): Fix erroneous use of in_files:
in spite of the name, it's a regexp, not a list of file names.
---
ChangeLog | 14 ++++++++++++++
top/maint.mk | 12 +++++++-----
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index c0ebb3e..c3da46b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2012-07-09 Jim Meyering <address@hidden>
+
+ maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix
+ Bugs in both of those conspired to make the
+ sc_vulnerable_makefile_CVE-2009-4029 rule 99% useless.
+ _sc_search_regexp's handling of non-empty $in_files would filter
+ out any offending file names. sc_vulnerable_makefile_CVE-2009-4029's
+ choice of in_files value meant there would be no match in most
+ projects, due to the presence of two or more Makefile.in files.
+ * top/maint.mk (_sc_search_regexp) [in_vc_files,in_files]: Clarify.
+ Fix a bug in how a non-empty $$in_files was processed:
+ (sc_vulnerable_makefile_CVE-2009-4029): Fix erroneous use of in_files:
+ in spite of the name, it's a regexp, not a list of file names.
+
2012-07-09 Paul Eggert <address@hidden>
getloadavg, getopt: fix commentary re configure.in
diff --git a/top/maint.mk b/top/maint.mk
index a1af711..2361d00 100644
--- a/top/maint.mk
+++ b/top/maint.mk
@@ -187,9 +187,11 @@ syntax-check: $(local-check)
#
# in_vc_files | in_files
#
-# grep-E-style regexp denoting the files to check. If no files
-# are specified the default are all the files that are under
-# version control.
+# grep-E-style regexp selecting the files to check. For in_vc_files,
+# the regexp is used to select matching files from the list of all
+# version-controlled files; for in_files, it's from the names printed
+# by "find $(srcdir)". When neither is specified, use all files that
+# are under version control.
#
# containing | non_containing
#
@@ -261,7 +263,7 @@ define _sc_search_regexp
: Filter by file name; \
if test -n "$$in_files"; then \
files=$$(find $(srcdir) | grep -E "$$in_files" \
- | grep -Ev '$(exclude_file_name_regexp--$@)'); \
+ | grep -Ev '$(_sc_excl)'); \
else
\
files=$$($(VC_LIST_EXCEPT)); \
if test -n "$$in_vc_files"; then \
@@ -1214,7 +1216,7 @@ sc_prohibit_path_max_allocation:
sc_vulnerable_makefile_CVE-2009-4029:
@prohibit='perm -777 -exec chmod a\+rwx|chmod 777 \$$\(distdir\)' \
- in_files=$$(find $(srcdir) -name Makefile.in) \
+ in_files=(^\|/)Makefile\\.in$$ \
halt=$$(printf '%s\n' \
'the above files are vulnerable; beware of running' \
' "make dist*" rules, and upgrade to fixed automake' \
--
1.7.11.1.116.g8228a23
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix,
Jim Meyering <=