|

»

»

SpamAssassin - Dev

[Bug 6148] New: sa-update fails: Insecure dependency in mkdir

View: New views

14 Messages — Rating Filter: Alert me

	[Bug 6148] New: sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Summary: sa-update fails: Insecure dependency in mkdir Product: Spamassassin Version: 3.3.0 Platform: Other OS/Version: All Status: NEW Severity: major Priority: P5 Component: sa-update AssignedTo: dev@... ReportedBy: wtogami@... perl-5.10.0-69.fc11.x86_64 sa-update of spamassassin-3.3.0-alpha1 fails with the .pre files from trunk. If I delete and instead copy the .pre files from 3.2.5, then sa-update succeeds. [root@newcaprica ~]# sa-update Insecure dependency in mkdir while running with -T switch at /usr/lib/perl5/5.10.0/File/Path.pm line 104. [root@newcaprica ~]# rm /etc/mail/spamassassin/.pre rm: remove regular file `init.pre'? y rm: remove regular file `v310.pre'? y rm: remove regular file `v312.pre'? y rm: remove regular file `v320.pre'? y [root@newcaprica ~]# cp /tmp/Mail-SpamAssassin-3.2.5/rules/.pre /etc/mail/spamassassin/ [root@newcaprica ~]# sa-update [root@newcaprica ~]# ls -l /var/lib/spamassassin/3.003000/ total 8 drwxr-xr-x. 2 root root 4096 2009-07-06 19:18 updates_spamassassin_org -rw-r--r--. 1 root root 2339 2009-07-06 19:18 updates_spamassassin_org.cf -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #1 from Mark Martinec <Mark.Martinec@...> 2009-07-07 06:01:30 PST --- (my yesterdays posting, just for documentation): I've seen it last week, looks like an old Perl bug of a tainted $1 is rearing its head again. The following patch to File/Basename.pm avoids the trouble: --- Basename.pm~ 2009-06-09 16:31:34.000000000 +0200 +++ Basename.pm 2009-06-27 15:49:49.000000000 +0200 @@ -332,4 +332,5 @@ my $type = $Fileparse_fstype; + local $1; if ($type eq 'MacOS') { $_[0] =~ s/([^:]):\z/$1/s; Here the $_[0] is NOT tainted, but $1 is, so the $_[0] gets tainted, which leads to a failure in mkdir further on. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #2 from Mark Martinec <Mark.Martinec@...> 2009-07-07 06:02:58 PST --- Bug 6148: avoid $1 from getting tainted by fiddling with sub get_description_for_rule, and by localizing $1 throughout the sa-update. Use explicit untaining by untaint_var there instead of manually untainting variables. Sending lib/Mail/SpamAssassin/Conf.pm Sending lib/Mail/SpamAssassin/PerMsgStatus.pm Sending sa-update.raw Committed revision 791820 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=791820 ). -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #3 from Justin Mason <jm@...> 2009-07-07 06:04:18 PST --- painful, but +1. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #4 from Mark Martinec <Mark.Martinec@...> 2009-07-07 06:12:04 PST --- (In reply to comment #0) > sa-update of spamassassin-3.3.0-alpha1 fails with the .pre files from trunk. > If I delete and instead copy the .pre files from 3.2.5, then sa-update > succeeds. Btw, the difference there in the .pre files is that AWL plugin is now commented out in v310.pre. Interestingly, uncommenting it (enabling it again) mysteriously avoids the taint bug. I'll attach the diff to make it easier for Warren to test it. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #5 from Mark Martinec <Mark.Martinec@...> 2009-07-07 06:14:08 PST --- Created an attachment (id=4477) --> (https://issues.apache.org/SpamAssassin/attachment.cgi?id=4477) A workaround for $1 getting tainted and spreading taint -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Mark Martinec <Mark.Martinec@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- Status\|NEW \|RESOLVED Resolution\| \|FIXED Target Milestone\|Undefined \|3.3.0 --- Comment #6 from Mark Martinec <Mark.Martinec@...> 2009-08-06 05:42:00 PST --- The fix appears to avoid the perl bug. Closing. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Mark Martinec <Mark.Martinec@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- Status\|RESOLVED \|REOPENED CC\| \|Mark.Martinec@... Resolution\|FIXED \| --- Comment #7 from Mark Martinec <Mark.Martinec@...> 2009-09-17 13:15:39 PDT --- Apparently the workaround does not help to avoid the perl bug. Also Bug 6206. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #8 from Mark Martinec <Mark.Martinec@...> 2009-09-17 13:16:50 PDT --- * Bug 6206 has been marked as a duplicate of this bug. * -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Warren Togami <wtogami@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- Priority\|P5 \|P1 CC\| \|wtogami@... Severity\|major \|critical -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 --- Comment #9 from Warren Togami <wtogami@...> 2009-09-17 13:29:51 PDT --- (In reply to comment #7) > Apparently the workaround does not help to avoid the perl bug. > Also Bug 6206. The patch for Basename.pm is applied to perl here in the case of Fedora 12. Are you referring to a different perl bug? -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Mark Martinec <Mark.Martinec@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- Status\|REOPENED \|RESOLVED Resolution\| \|FIXED --- Comment #10 from Mark Martinec <Mark.Martinec@...> 2009-09-17 13:43:24 PDT --- > The patch for Basename.pm is applied to perl here in the case of Fedora 12. > Are you referring to a different perl bug? Good. Although this change to Basename.pm is only a workaround, the bug is in perl, the $1 should not be able to get tainted there. Re-closing, this is not the same issue after all, sorry. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Mark Martinec <Mark.Martinec@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- CC\|Mark.Martinec@... \| -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
	[Bug 6148] sa-update fails: Insecure dependency in mkdir by Bugzilla from bugzilla-daemon@bugzilla.spamassassin.org :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6148 Yves Orton <demerphq@...> changed: What \|Removed \|Added ---------------------------------------------------------------------------- CC\| \|demerphq@... --- Comment #11 from Yves Orton <demerphq@...> 2009-11-02 14:22:36 UTC --- Hi. Would it be possible to find out more about this ticket in a reply to: http://rt.perl.org/rt3//Public/Bug/Display.html?id=67962 Ive looked at the bug report, and the patches proposed, and cannot understand what might possibly be wrong internally in perl. Can you reduce this to a simpler test case please? Yves -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.