Bug#568233: FuzzyOcr

2010-05-18 Thread Adam Cécile (Le_Vert) 

Hi,

3.6.0-2 still doesn't work inside spamassassion:

dedibox:/etc/spamassassin# spamassassin --debug FuzzyOcr  
/usr/share/doc/fuzzyocr/examples/ocr-wrongext.eml /dev/null
mai 18 10:45:06.653 [5779] dbg: FuzzyOcr: focr_bin_helper: 
'pnmnorm,pnminvert,ppmtopgm'
mai 18 10:45:06.654 [5779] warn: plugin: eval failed: Insecure 
dependency in open while running with -T switch at 
/usr/share/perl5/FuzzyOcr/Logging.pm line 34.
mai 18 10:45:06.654 [5779] info: config: failed to parse line, skipping, 
in /etc/spamassassin/FuzzyOcr.cf: focr_bin_helper pnmnorm, pnminvert, 
ppmtopgm

mai 18 10:45:06.655 [5779] dbg: FuzzyOcr: focr_bin_helper: 'tesseract'
mai 18 10:45:06.655 [5779] warn: plugin: eval failed: Insecure 
dependency in open while running with -T switch at 
/usr/share/perl5/FuzzyOcr/Logging.pm line 34.
mai 18 10:45:06.655 [5779] info: config: failed to parse line, skipping, 
in /etc/spamassassin/FuzzyOcr.cf: focr_bin_helper tesseract
mai 18 10:45:06.657 [5779] info: FuzzyOcr: Starting preprocessor parser 
for file /etc/mail/spamassassin/FuzzyOcr.preps...
mai 18 10:45:06.658 [5779] warn: plugin: eval failed: Insecure 
dependency in open while running with -T switch at 
/usr/share/perl5/FuzzyOcr/Logging.pm line 34.
mai 18 10:45:06.658 [5779] info: config: failed to parse line, skipping, 
in /etc/spamassassin/FuzzyOcr.cf: focr_end_config
mai 18 10:45:07.484 [5779] info: FuzzyOcr: Searching in: 
/usr/local/netpbm/bin
mai 18 10:45:07.484 [5779] warn: plugin: eval failed: Insecure 
dependency in open while running with -T switch at 
/usr/share/perl5/FuzzyOcr/Logging.pm line 34.
mai 18 10:45:15.448 [5779] info: pyzor: [5782] error: TERMINATED, signal 
15 (000f)
mai 18 10:45:15.472 [5779] info: rules: meta test ADVANCE_FEE_3_NEW_FORM 
has dependency 'ADVANCE_FEE_3_NEW' with a zero score
mai 18 10:45:15.498 [5779] info: rules: meta test 
ADVANCE_FEE_3_NEW_MONEY has dependency 'ADVANCE_FEE_3_NEW' with a zero score

mai 18 10:45:15.589 [5779] dbg: FuzzyOcr: Starting FuzzyOcr...
mai 18 10:45:15.589 [5779] warn: rules: failed to run FUZZY_OCR test, 
skipping:
mai 18 10:45:15.589 [5779] warn:  (Insecure dependency in open while 
running with -T switch at /usr/share/perl5/FuzzyOcr/Logging.pm line 34.

mai 18 10:45:15.589 [5779] warn: )

Regards, Adam.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568233: fuzzyocr: Logfile option is not 'taint' safe causing far-reaching consequences (e.g. sa-compile will not run)

2010-02-03 Thread Arjan Opmeer 
Package: fuzzyocr
Version: 3.5.1+svn135-1.2
Severity: normal
Tags: patch

FuzzyOcr allows logging to file with the focr_logfile option like so:

   focr_logfile /some/path/file

However, because nowadays spamassassin runs with Perl 'taint' mode enabled,
opening this file is not allowed:

   warn: plugin: eval failed: Insecure dependency in open while running with -T
 switch at /usr/share/perl5/FuzzyOcr/Logging.pm line 36.

Apparently also causing parsing errors:

   info: config: failed to parse line, skipping, in 
 /etc/spamassassin/FuzzyOcr.cf:
 focr_bin_helper pnmnorm, pnminvert, ppmtopgm

but ultimately causing the FuzzyOcr plugin not to run:

   warn: rules: failed to run FUZZY_OCR test, skipping:

Unfortunately this has far-reaching consequences because now sa-compile will
fail to run to completion:

   rules: failed to run FUZZY_OCR test, skipping:
  (Insecure dependency in open while running with -T switch at
   /usr/share/perl5/FuzzyOcr/Logging.pm line 36.)
   sa-compile: not compiling; 'spamassassin --lint' check failed!

which can also cause the spamassassin daily cron job to exit with an error.

The attached patch works around this problem by explicitly 'untainting' the
FuzzyOcr logfile. Now the FuzzyOcr plugin will work again and sa-compile
will run to its completion.

There might be a security impact with this change, so you might want to talk
to the spamassassin maintainers about this.


Arjan

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.27.21 (PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fuzzyocr depends on:
ii  giflib-tools  4.1.6-9library for GIF images (utilities)
ii  gifsicle  1.58-1 Tool for manipulating GIF images
ii  gocr  0.46-2.1   A command line OCR
ii  libdbd-mysql-perl 4.012-1+b1 A Perl5 database interface to the 
ii  libmldbm-sync-perl0.30-3 Perl module for safe concurrent ac
ii  libstring-approx-perl 3.26-1 Perl extension for approximate mat
ii  libtie-cache-perl 0.17-4 perl Tie::Cache - LRU Cache in Mem
ii  netpbm2:10.0-12  Graphics conversion tools
ii  ocrad 0.17-4 Optical Character Recognition prog
ii  perl [libdigest-md5-perl] 5.10.1-9   Larry Wall's Practical Extraction 
ii  spamassassin  3.3.0-1Perl-based spam filter using text 
ii  tesseract-ocr-eng 2.00-1 tesseract-ocr language files for E

fuzzyocr recommends no packages.

fuzzyocr suggests no packages.

-- no debconf information
--- Logging.pm.ORIG 2010-02-03 10:54:38.0 +0100
+++ Logging.pm  2010-02-03 10:55:49.0 +0100
@@ -31,7 +31,8 @@ sub logfile {
 my $time = strftime(%Y-%m-%d %H:%M:%S,localtime(time));
 $logtext =~ s/\n/\n  /g;
 
-unless ( open LOGFILE, , $conf-{focr_logfile} ) {
+my $fname = 
Mail::SpamAssassin::Util::untaint_file_path($conf-{focr_logfile});
+unless ( open LOGFILE, , $fname ) {
warn Can't open $conf-{focr_logfile} for writing, check permissions;
return;
 }