You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Henk van Lingen <he...@cs.uu.nl> on 2006/11/30 11:43:14 UTC

sa-update / taint error

Hi,

Whenever I try to run sa-update, it ends with the error:

sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A

...

[14411] dbg: generic: unlinking 10_misc.cf
Insecure dependency in unlink while running with -T switch at /usr/bin/sa-update line 1173.

I'm not an perl-wizzard. Untainting $path doesn't help.

What can be the problem?

dawn:mail/spamassassin-# rpm -qf `which sa-update`
spamassassin-3.1.7-1.el3.rf

Regards,
-- 
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2534107                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

Re: sa-update / taint error

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Henk van Lingen wrote:

>   Hi Daryl,
> 
>   I restored my situation from two days ago, and the problem returned.
>   Your patch seems to fix the problem.

Thanks for confirming the fix Henk.  Fixed in the 3.1 branch (3.1.8) and 
trunk.

Daryl

Re: sa-update / taint error

Posted by Henk van Lingen <he...@cs.uu.nl>.

On Thu, Nov 30, 2006 at 01:44:32PM -0500, Daryl C. W. O'Shea wrote:
  > >
  > >  Hm, I've runned sa-update without -T today, and now I can't reproduce
  > >  the problem :-( Maybe because there are no updates anymore...
  > 
  > You removed the "-T" from the first line of sa-update?  Perl won't 
  > complain about tainted variables without it.

  Exactly, but I had to fix the updates.

  > Just rm /var/lib/spamassassin/updates.spamassassin.org* (or wherever 
  > your updates are stored) so you can download the same update again.
  > 
  > 
  > >  Maybe tomorrow (when back at the office) I can reproduce yesterdays
  > >  situation.
  > 
  > Please follow up in bug 5216 or at least to the list (and copy me) as 
  > soon as you can.

  Hi Daryl,

  I restored my situation from two days ago, and the problem returned.
  Your patch seems to fix the problem.

  Thanks,

-- 
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2534107                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

Re: sa-update / taint error

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Henk van Lingen wrote:
> On Thu, Nov 30, 2006 at 11:55:36AM -0500, Daryl C. W. O'Shea wrote:
>   > Henk van Lingen wrote:
>   > 
>   > >[14411] dbg: generic: unlinking 10_misc.cf
>   > >Insecure dependency in unlink while running with -T switch at 
>   > >/usr/bin/sa-update line 1173.
>   > 
>   > Please try the attached patch and *please* let me know if it resolves 
>   > the problem.
>   > 
>   > +    local ($1); # prevent random taint flagging
> 
>   Hm, I've runned sa-update without -T today, and now I can't reproduce
>   the problem :-( Maybe because there are no updates anymore...

You removed the "-T" from the first line of sa-update?  Perl won't 
complain about tainted variables without it.

Just rm /var/lib/spamassassin/updates.spamassassin.org* (or wherever 
your updates are stored) so you can download the same update again.

>   Maybe tomorrow (when back at the office) I can reproduce yesterdays
>   situation.

Please follow up in bug 5216 or at least to the list (and copy me) as 
soon as you can.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5216

Thanks,

Daryl

Re: sa-update / taint error

Posted by Henk van Lingen <he...@cs.uu.nl>.

On Thu, Nov 30, 2006 at 11:55:36AM -0500, Daryl C. W. O'Shea wrote:
  > Henk van Lingen wrote:
  > 
  > >[14411] dbg: generic: unlinking 10_misc.cf
  > >Insecure dependency in unlink while running with -T switch at 
  > >/usr/bin/sa-update line 1173.
  > 
  > Please try the attached patch and *please* let me know if it resolves 
  > the problem.
  > 
  > +    local ($1); # prevent random taint flagging

  Hm, I've runned sa-update without -T today, and now I can't reproduce
  the problem :-( Maybe because there are no updates anymore...

  Maybe tomorrow (when back at the office) I can reproduce yesterdays
  situation.

  Regards,

-- 
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2534107                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

Re: sa-update / taint error

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Henk van Lingen wrote:

> [14411] dbg: generic: unlinking 10_misc.cf
> Insecure dependency in unlink while running with -T switch at /usr/bin/sa-update line 1173.

Please try the attached patch and *please* let me know if it resolves 
the problem.

Daryl