Package: fuzzyocr
Version: 3.5.1+svn135-1.2
Severity: normal
Tags: patch
FuzzyOcr allows logging to file with the focr_logfile option like so:
focr_logfile /some/path/file
However, because nowadays spamassassin runs with Perl 'taint' mode enabled,
opening this file is not allowed:
warn: plugin: eval failed: Insecure dependency in open while running with -T
switch at /usr/share/perl5/FuzzyOcr/Logging.pm line 36.
Apparently also causing parsing errors:
info: config: failed to parse line, skipping, in
"/etc/spamassassin/FuzzyOcr.cf":
focr_bin_helper pnmnorm, pnminvert, ppmtopgm
but ultimately causing the FuzzyOcr plugin not to run:
warn: rules: failed to run FUZZY_OCR test, skipping:
Unfortunately this has far-reaching consequences because now sa-compile will
fail to run to completion:
rules: failed to run FUZZY_OCR test, skipping:
(Insecure dependency in open while running with -T switch at
/usr/share/perl5/FuzzyOcr/Logging.pm line 36.)
sa-compile: not compiling; 'spamassassin --lint' check failed!
which can also cause the spamassassin daily cron job to exit with an error.
The attached patch works around this problem by explicitly 'untainting' the
FuzzyOcr logfile. Now the FuzzyOcr plugin will work again and sa-compile
will run to its completion.
There might be a security impact with this change, so you might want to talk
to the spamassassin maintainers about this.
Arjan
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.27.21 (PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages fuzzyocr depends on:
ii giflib-tools 4.1.6-9 library for GIF images (utilities)
ii gifsicle 1.58-1 Tool for manipulating GIF images
ii gocr 0.46-2.1 A command line OCR
ii libdbd-mysql-perl 4.012-1+b1 A Perl5 database interface to the
ii libmldbm-sync-perl 0.30-3 Perl module for safe concurrent ac
ii libstring-approx-perl 3.26-1 Perl extension for approximate mat
ii libtie-cache-perl 0.17-4 perl Tie::Cache - LRU Cache in Mem
ii netpbm 2:10.0-12 Graphics conversion tools
ii ocrad 0.17-4 Optical Character Recognition prog
ii perl [libdigest-md5-perl] 5.10.1-9 Larry Wall's Practical Extraction
ii spamassassin 3.3.0-1 Perl-based spam filter using text
ii tesseract-ocr-eng 2.00-1 tesseract-ocr language files for E
fuzzyocr recommends no packages.
fuzzyocr suggests no packages.
-- no debconf information
--- Logging.pm.ORIG 2010-02-03 10:54:38.000000000 +0100
+++ Logging.pm 2010-02-03 10:55:49.000000000 +0100
@@ -31,7 +31,8 @@ sub logfile {
my $time = strftime("%Y-%m-%d %H:%M:%S",localtime(time));
$logtext =~ s/\n/\n /g;
- unless ( open LOGFILE, ">>", $conf->{focr_logfile} ) {
+ my $fname =
Mail::SpamAssassin::Util::untaint_file_path($conf->{focr_logfile});
+ unless ( open LOGFILE, ">>", $fname ) {
warn "Can't open $conf->{focr_logfile} for writing, check permissions";
return;
}
