On 2017-02-10 at 12:57 +0000, Andrew C Aitchison wrote: > This is about a perl security issue that was not accepted directly into exim > in July/August 2016.
Hrm. This isn't about Perl embedded inside Exim and thus setuid, but instead scripts bundled, which run without elevated privilege, on the basis that someone might theoretically invoke exim scripts while in a directory to which untrusted users can write. Also, where other scripting languages default to "same directory as script, or current directory if we can't figure that out", Perl uses "current directory" is is anomalous. I suppose the odds are pretty high that someone might invoke it while in /tmp and we should protect against it. I don't see any harm from the patch for our scripts; it's an annoying extra hoop to jump through, but that's about it. I'll apply this change to all our Perl scripts. I will however place it after warnings/strict, there's no reason to exempt executing Perl from basic sanity checks. I'm classifying this as "stupid and annoying of Perl and we shouldn't have to do it, but reality sucks, changing the behavior is non-trivial and so in the meantime we either deal with it in Perl or stop using Perl". Changed all; "perl -c" applies; also caught a couple of shell scripts with embedded Perl. Cherry-picked into the release branch. This means that there is likely to be an RC4. -Phil
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
