On Sat, Feb 06, 2010 at 09:17:10AM +1300, Francois Marier wrote:
>
> It appears that FuzzyOcr no longer runs on my sid box. I get a lot of these
> in my logs:
>
> spamd[23016]: FuzzyOcr: Error running preprocessor(ppmtopgm):
> /usr/bin/ppmtopgm
> spamd[23016]: FuzzyOcr: Return code: 2048, Error: save_execute: Insecure
> dependency in exec while running setuid at /usr/share/perl5/FuzzyOcr/Misc.pm
> line 188.
>
> spamd[23016]: FuzzyOcr: Unable to read output from
> "/tmp/.spamassassin23016gw80E3tmp/scanset.tesseract.out.txt" for scanset
> tesseract
> spamd[23016]: FuzzyOcr: Errors in Scanset "tesseract"
> spamd[23016]: FuzzyOcr: Return code: 2048, Error: save_execute: Insecure
> dependency in exec while running setuid at /usr/share/perl5/FuzzyOcr/Misc.pm
> line 188.
The programs that have errors are most probably the ones you defined with a
focr_bin_helper line in the config file, right?
> Could it be that FuzzyOcr doesn't work with Perl 5.10?
No, the current version of SpamAssassin uses Perl's taint mode to mark
config data as possibly dangerous. The FuzzyOcr config file is read with the
SpamAssassin parser. This causes the names of the helper programs you
defined to be considered as tainted data. And when running in taint mode,
Perl will not execute external programs when it derives the name from a
tainted variable.
I hacked around this by explicitly untainting the data from focr_bin_helper
and focr_bin_<progname> config entries by using the included patch. At the
moment this is sufficient to have FuzzyOcr running without errors on my
system, but I might have missed some corner cases. The inluded patch should
probably also be reviewed for security implications.
Arjan
--- Config.pm.ORIG 2010-02-18 12:58:40.000000000 +0100
+++ Config.pm 2010-02-18 14:44:02.000000000 +0100
@@ -577,7 +577,7 @@ sub parse_config {
return 1;
} elsif ($opts->{key} eq 'focr_bin_helper') {
my @cmd; $conf = $opts->{conf};
- my $val = $opts->{value}; $val =~ s/[\s]*//g;
+ my $val = Mail::SpamAssassin::Util::untaint_var($opts->{value}); $val
=~ s/[\s]*//g;
debuglog("focr_bin_helper: '$val'");
foreach my $bin (split(',',$val)) {
unless (grep {m/$bin/} @bin_utils) {
@@ -618,6 +618,7 @@ sub finish_parsing_end {
delete $conf->{$b};
}
if (defined $conf->{$b}) {
+ $conf->{$b} = Mail::SpamAssassin::Util::untaint_var($conf->{$b});
debuglog("Using $a => $conf->{$b}");
} else {
foreach my $p (@paths) {
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
