maint: add a syntax-check rule to check for vulnerable Makefile.in

* top/maint.mk (sc_vulnerable_makefile_CVE-2009-4029): New rule.

diff --git a/ChangeLog b/ChangeLog
index 25159f14231e695bffea9f135d7932ecc1115b29..8b5597f0dbe2504c30b76deab5487c10f1d5ca0a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2010-01-28  Jim Meyering  <meyering@redhat.com>
+
+       maint: add a syntax-check rule to check for vulnerable Makefile.in
+       * top/maint.mk (sc_vulnerable_makefile_CVE-2009-4029): New rule.
+
 2010-01-27  Jim Meyering  <meyering@redhat.com>
 
        ncftpput-ftp: clean up spaces

diff --git a/top/maint.mk b/top/maint.mk
index d384ca62b25c4c278561c323b3876f73b1abf1bc..f9eed6aa555154f797d17dd65da31515ec132fcb 100644 (file)
--- a/top/maint.mk
+++ b/top/maint.mk
@@ -726,6 +726,19 @@ sc_Wundef_boolean:
        @grep -Ei '^#define.*(yes|no|true|false)$$' '$(CONFIG_INCLUDE)' && \
          { echo 'Use 0 or 1 for macro values' 1>&2; exit 1; } || :
 
+sc_vulnerable_makefile_CVE-2009-4029:
+       @files=$$(find $(srcdir) -name Makefile.in);                    \
+       if test -n "$$files"; then                                      \
+         grep -E                                                       \
+           'perm -777 -exec chmod a\+rwx|chmod 777 \$$\(distdir\)'     \
+           $$files &&                                                  \
+         { echo '$(ME): the above files are vulnerable; beware of'     \
+           'running "make dist*" rules, and upgrade to fixed automake' \
+           'see http://bugzilla.redhat.com/542609 for details'         \
+               1>&2; exit 1; } || :;                                   \
+       else :;                                                         \
+       fi
+
 vc-diff-check:
        (unset CDPATH; cd $(srcdir) && $(VC) diff) > vc-diffs || :
        if test -s vc-diffs; then                               \