I have not gotten this into the bugzilla, but ... as it appeas
a 3.3 release is imminent, I though I should mention seeing
this in my log files:
I am getting this:
Jan 20 18:17:40 vm049244181 spamd[14023]: spamd: Insecure dependency in chown
while running with -T switch at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1934, <GEN16> line
2.
which is:
if (($< == 0) && ($> == 0) && defined($user)) { # chown it
my ($uid,$gid) = (getpwnam($user))[2,3];
unless (chown($uid, $gid, $fname)) {
warn "config: couldn't chown $fname to $uid:$gid for $user: $!\n";
}
sort of a sketchy test for 'root' here also
I searched the bugzilla, but nothing relevant found with:
https://issues.apache.org/SpamAssassin/buglist.cgi?quicksearch=spamassassin+taint
-------------------------------
it looks like a prior similar fix here:
http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200909.mbox/%3c20090917234411.9d6e22388...@eris.apache.org%3e
#
# If vpopmail config enabled then set $userdir to virtual homedir
#
- no re 'taint';
- my $username_untainted = ( $username =~ /^([-:,.=+a-za-z0...@~]+)$/ ? $1
: undef );
- use re 'taint';
+ my $username_untainted;
+ $username_untainted =
+ untaint_var($username) if $username =~ /^[-:,.=+a-za-z0-...@~]+\z/;
-- Russ herrold
