subject:"Bug#344029\: \[EMAIL PROTECTED\]\: Bug#350954\: DSA\-960\-1 security update breaks libmail\-audit\-perl when $ENV\{HOME\} is not set\]"

Bug#344029: [EMAIL PROTECTED]: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

2006-02-05 Thread Niko Tyni

On Sat, Feb 04, 2006 at 02:59:25PM +0100, Martin Schulze wrote:
 
 Comments to the attached patch, which are least intrusive to the
 update we're already distributing?

It's certainly the minimum required change. However, after this patch
Mail::Audit is still leaving behind a file in /tmp every time it's used
without $HOME, whether logging is enabled or not. And the documentation
remains out of sync. (Naturally, it's your call to decide whether these
should be fixed or not, but I just wanted to point them out.)

FWIW, the patch in #350954 by Robert L Mathews addresses both of these issues.
-- 
Niko Tyni   [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#344029: [EMAIL PROTECTED]: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

2006-02-04 Thread Martin Schulze

Niko Tyni wrote:
 Hi security team,
 
 I'm very sorry that you have to hear from me again :(
 
 There's a regression in the patch for DSA-960-1, for both woody and sarge.
 When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
 dying if it's not writable.  This happens even if logging is turned off,
 which makes the problem much more serious.

Doo, I have to agree that it is confusing to have tempdir() use different
parameters as tempfile(), but only partially.

 I have not yet had a proper look at the proposed patches in #350954 and
 the last message of #344029, but I wanted to make you aware of this.
 
 Again, my apologies for the bad handling of this.

Comments to the attached patch, which are least intrusive to the
update we're already distributing?

Regards,

Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -4,7 +4,13 @@
 
 my $logging;
 my $loglevel=3;
-my $logfile = /tmp/.getpwuid($).-audit.log;
+my $logfile;
+if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
+ $logfile = $ENV{HOME}/.mail_audit.log;
+}
+else {
+ (undef,$logfile) = tempfile(mail_audit.log-X, DIR = 
File::Spec-tmpdir);
+}
 
 # --
 # no user-modifiable parts below this line.
@@ -18,6 +24,8 @@
 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
 # @ISA will depend on whether the message is MIME; if it is, we'll be 
MIME::Entity.  if not, we'll be Mail::Internet.
 use Fcntl ':flock';
+use File::Spec;
+use File::Temp qw(tempfile);
 
 $ASSUME_MSGPREFIX = 0;
 
--- libmail-audit-perl-2.1.orig/Audit/MimeEntity.pm
+++ libmail-audit-perl-2.1/Audit/MimeEntity.pm
@@ -4,6 +4,7 @@
 
 use strict;
 use File::Path;
+use File::Temp qw(tempdir);
 use MIME::Parser;
 use MIME::Entity;
 use Mail::Audit::MailInternet;
@@ -12,10 +13,12 @@
 
 $VERSION = '2.0';
 
-$MIME_PARSER_TMPDIR = /tmp/.getpwuid($).-mailaudit;
-
 my $parser = MIME::Parser-new();
 
+# Create a tempdir using File::Temp::tempdir, have it be destroyed at
+# END{} time.
+$MIME_PARSER_TMPDIR = tempdir(CLEANUP = 1);
+
 my @to_rmdir;
 
 sub autotype_new { 
@@ -23,8 +26,6 @@
 my $mailinternet = shift;
 
 $parser-ignore_errors(1);
-mkdir ($MIME_PARSER_TMPDIR, 0777);
-if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = /tmp }
 $parser-output_under($MIME_PARSER_TMPDIR);
 
 # todo: add eval error trapping.  if there's a problem, return 
Mail::Audit::MailInternet as a fallback.
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -6,10 +6,10 @@
 my $loglevel=3;
 my $logfile;
 if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
- $logfile = $ENV{HOME}/.mail_audit.log
+ $logfile = $ENV{HOME}/.mail_audit.log;
 }
 else {
- (undef,$logfile) = tempfile(mail_audit.log-X,TMPDIR=1);
+ (undef,$logfile) = tempfile(mail_audit.log-X, DIR = 
File::Spec-tmpdir);
 }
 
 # --
@@ -24,6 +24,7 @@
 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
 # @ISA will depend on whether the message is MIME; if it is, we'll be 
MIME::Entity.  if not, we'll be Mail::Internet.
 use Fcntl ':flock';
+use File::Spec;
 use File::Temp qw(tempfile);
 
 $ASSUME_MSGPREFIX = 0;

Bug#344029: [EMAIL PROTECTED]: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

2006-02-01 Thread Niko Tyni

Hi security team,

I'm very sorry that you have to hear from me again :(

There's a regression in the patch for DSA-960-1, for both woody and sarge.
When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
dying if it's not writable.  This happens even if logging is turned off,
which makes the problem much more serious.

I have not yet had a proper look at the proposed patches in #350954 and
the last message of #344029, but I wanted to make you aware of this.

Again, my apologies for the bad handling of this.
-- 
Niko Tyni   [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#344029: [EMAIL PROTECTED]: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

Bug#344029: [EMAIL PROTECTED]: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

Bug#344029: [EMAIL PROTECTED]: Bug#350954: DSA-960-1 security update breaks libmail-audit-perl when $ENV{HOME} is not set]

3 matches

Site Navigation

Mail list logo

Footer information