[Bug 4118] New: (new?) taint issue with --report

4 Feb 2005 00:51:44 -0000 

http://bugzilla.spamassassin.org/show_bug.cgi?id=4118

           Summary: (new?) taint issue with --report
           Product: Spamassassin
           Version: 3.0.2
          Platform: HP
        OS/Version: HP-UX
            Status: NEW
          Severity: normal
          Priority: P3
         Component: spamassassin
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


[EMAIL PROTECTED] tmp]$ /opt/perl5.8.1/bin/spamassassin --report < /tmp/spam2
1 message(s) examined.
Insecure dependency in connect while running with -T switch at
/opt/perl5.8.1/lib/5.8.1/PA-RISC2.0/IO/Socket.pm line 114, <GEN4> line 1.
[EMAIL PROTECTED] tmp]$ 

>From razor's documentation the old patches to fix the taint issues are included
in this version of razor as of 2.40 -- I'm using 2.67:

    http://razor.sourceforge.net/docs/changes.php

I suspect this is a new taint issue -- I tried applying the patch and it is
rejected.  Looking at the source it looks like the untaint patch is already
applied -- consistent with the revision log for razor2:

lib/Razor2/Client/Agent.pm:        @fns = map { /^(\S+)$/, $1 } @fns; # untaint
lib/Razor2/Client/Agent.pm.rej:+         @fns = map { /^(\S+)$/, $1 } @fns; #
untaint
lib/Razor2/Client/Agent.pm~:        @fns = map { /^(\S+)$/, $1 } @fns; # untaint
lib/Razor2/Client/Config.pm:            $fn = $1 if $fn =~ /^(\S+)$/; # untaint
readlink
lib/Razor2/Client/Config.pm:            $fn = $1 if $fn =~ /^(\S+)$/; # untaint
readlink
lib/Razor2/Client/Config.pm:            next unless s/^\s*(.+?)\s*$/$1/; # 
untaint
lib/Razor2/Client/Config.pm:            my ($attribute, $value) =
/^\s*(.+?)\s*=\s*(.+?)\s*$/; # untaint
lib/Razor2/Client/Config.pm.rej:+             $fn = $1 if $fn =~ /^(\S+)$/; #
untaint readlink
lib/Razor2/Client/Config.pm.rej:+             $fn = $1 if $fn =~ /^(\S+)$/; #
untaint readlink
lib/Razor2/Client/Config.pm.rej:+             next unless s/^\s*(.+?)\s*$/$1/; #
untaint
lib/Razor2/Client/Config.pm.rej:+             my ($attribute, $value) =
/^\s*(.+?)\s*=\s*(.+?)\s*$/; # untaint

Checking to see if it is razor at all involved (setting use_razor2 to 0 in
user_prefs), I still get the error:

[EMAIL PROTECTED] razor-agents-2.67]$ /opt/perl5.8.1/bin/spamassassin --report
< /tmp/spam2                 
1 message(s) examined.
Insecure dependency in connect while running with -T switch at
/opt/perl5.8.1/lib/5.8.1/PA-RISC2.0/IO/Socket.pm line 114.
[EMAIL PROTECTED] razor-agents-2.67]$ 

I tried running with -D, but the "Insecure" message only occurs after all of the
debug output.  Running perl in -d debug mode on 'spamassassin --learn' gives me
an immediate error about Insecure dependency and a long stack trace -- doesn't
look useful.

With perl5.6.1 on Linux I get a different error:

[EMAIL PROTECTED] rrauenza]$ /usr/local/perl/bin/spamassassin --report < 
/tmp/spam2 
razor2 report failed: Bad file descriptor Died at
/usr/local/perl/lib/site_perl/5.6.1/Mail/SpamAssassin/Reporter.pm line 148,
<GEN7> line 1.
1 message(s) examined.
[EMAIL PROTECTED] rrauenza]$ /usr/local/perl/bin/spamassassin --version
SpamAssassin version 3.0.2
  running on Perl version 5.6.1
[EMAIL PROTECTED] rrauenza]$ 

Can anyone else reproduce these?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Reply via email to