Package: fuzzyocr Version: 3.5.1+svn135-1.2 Severity: normal Tags: patch FuzzyOcr allows logging to file with the focr_logfile option like so:
focr_logfile /some/path/file However, because nowadays spamassassin runs with Perl 'taint' mode enabled, opening this file is not allowed: warn: plugin: eval failed: Insecure dependency in open while running with -T switch at /usr/share/perl5/FuzzyOcr/Logging.pm line 36. Apparently also causing parsing errors: info: config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, ppmtopgm but ultimately causing the FuzzyOcr plugin not to run: warn: rules: failed to run FUZZY_OCR test, skipping: Unfortunately this has far-reaching consequences because now sa-compile will fail to run to completion: rules: failed to run FUZZY_OCR test, skipping: (Insecure dependency in open while running with -T switch at /usr/share/perl5/FuzzyOcr/Logging.pm line 36.) sa-compile: not compiling; 'spamassassin --lint' check failed! which can also cause the spamassassin daily cron job to exit with an error. The attached patch works around this problem by explicitly 'untainting' the FuzzyOcr logfile. Now the FuzzyOcr plugin will work again and sa-compile will run to its completion. There might be a security impact with this change, so you might want to talk to the spamassassin maintainers about this. Arjan -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.27.21 (PREEMPT) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages fuzzyocr depends on: ii giflib-tools 4.1.6-9 library for GIF images (utilities) ii gifsicle 1.58-1 Tool for manipulating GIF images ii gocr 0.46-2.1 A command line OCR ii libdbd-mysql-perl 4.012-1+b1 A Perl5 database interface to the ii libmldbm-sync-perl 0.30-3 Perl module for safe concurrent ac ii libstring-approx-perl 3.26-1 Perl extension for approximate mat ii libtie-cache-perl 0.17-4 perl Tie::Cache - LRU Cache in Mem ii netpbm 2:10.0-12 Graphics conversion tools ii ocrad 0.17-4 Optical Character Recognition prog ii perl [libdigest-md5-perl] 5.10.1-9 Larry Wall's Practical Extraction ii spamassassin 3.3.0-1 Perl-based spam filter using text ii tesseract-ocr-eng 2.00-1 tesseract-ocr language files for E fuzzyocr recommends no packages. fuzzyocr suggests no packages. -- no debconf information
--- Logging.pm.ORIG 2010-02-03 10:54:38.000000000 +0100 +++ Logging.pm 2010-02-03 10:55:49.000000000 +0100 @@ -31,7 +31,8 @@ sub logfile { my $time = strftime("%Y-%m-%d %H:%M:%S",localtime(time)); $logtext =~ s/\n/\n /g; - unless ( open LOGFILE, ">>", $conf->{focr_logfile} ) { + my $fname = Mail::SpamAssassin::Util::untaint_file_path($conf->{focr_logfile}); + unless ( open LOGFILE, ">>", $fname ) { warn "Can't open $conf->{focr_logfile} for writing, check permissions"; return; }