You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/09/17 19:53:18 UTC
[Bug 6206] New: spamd: setuid mkdir Insecure Dependency
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Summary: spamd: setuid mkdir Insecure Dependency
Product: Spamassassin
Version: 3.3.0
Platform: Other
OS/Version: All
Status: NEW
Severity: critical
Priority: P5
Component: spamc/spamd
AssignedTo: dev@spamassassin.apache.org
ReportedBy: wtogami@redhat.com
perl-5.8.8-27.el5 spamassassin-3.3.0-alpha2
perl-5.10.0-73.fc11 spamassassin-3.2.5
perl-5.10.0-82.fc12 spamassassin-3.3.0-alpha2
spamd -D -d -c -m5 -H
useradd testuser
su - testuser
cat /usr/share/doc/spamassassin-3.3.0/sample-spam.txt | spamc
FAILS TO CREATE ~/.spamassassin
spamd: connection from localhost [127.0.0.1] at port 57087
spamd: setuid to testuser succeeded
spamd: creating default_prefs: /home/testuser/.spamassassin/user_prefs
spamd[25688]: config: using "/home/testuser/.spamassassin" for user state dir
spamd[25688]: config: mkdir /home/testuser/.spamassassin failed: Insecure
dependency in mkdir while running setuid at /usr/lib/perl5/5.10.0/File/Path.pm
line 104, <GEN18> line 2.
spamd[25688]: config: cannot create /home/testuser/.spamassassin/user_prefs: 2
spamd: failed to create readable default_prefs:
/home/testuser/.spamassassin/user_prefs
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Warren Togami <wt...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|spamd: setuid mkdir |spamd: Insecure Dependency
|Insecure Dependency |in setuid mkdir
--- Comment #1 from Warren Togami <wt...@redhat.com> 2009-09-17 11:48:14 PDT ---
FAILS perl-5.8.8-27.el5 spamassassin-3.3.0-alpha2
WORKS perl-5.8.8-27.el5 spamassassin-3.2.5
RHEL-5 fails with 3.3.0-alpha2 but not 3.2.5.
FAILS perl-5.10.0-73.fc11 spamassassin-3.3.0-alpha2
FAILS perl-5.10.0-73.fc11 spamassassin-3.2.5
Fedora 11 fails with both 3.2.5 and 3.3.0-alpha2, however the 3.2.5 failure is
a different issue.
spamd[7639]: config: using "/home/fedora/wtogami/.spamassassin" for user state
dir
spamd[7639]: config: mkdir /home/fedora/wtogami/.spamassassin failed: mkdir
/home/fedora/wtogami/.spamassassin: Permission denied at
/usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin.pm line 1577
spamd[7639]: config: Permission denied
So it does seem that something regressed in 3.3.0-alpha2 since 3.2.5.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Warren Togami <wt...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P2 |P1
--- Comment #2 from Warren Togami <wt...@redhat.com> 2009-09-17 12:23:58 PDT ---
Confirmed regression in 3.3.0 that would significantly impact its operation, so
I guess this is P1.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Mark.Martinec@ijs.si
--- Comment #3 from Mark Martinec <Ma...@ijs.si> 2009-09-17 12:26:49 PDT ---
working on it...
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
--- Comment #6 from Mark Martinec <Ma...@ijs.si> 2009-09-17 16:47:15 PDT ---
Bug 6206, Bug 2536: spamd: untaint directory as obtained from
a password file or from vpopmail utilities, avoid implicit
untainting; report error if user preferences file exists
but cannot be accessed; some cosmetics (avoid deep nesting
where possible, and avoid faraway small code segments)
Sending lib/Mail/SpamAssassin.pm
Sending spamd/spamd.raw
Committed revision 816412.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #4 from Mark Martinec <Ma...@ijs.si> 2009-09-17 13:16:50 PDT ---
I knew I've seen it before...
*** This bug has been marked as a duplicate of bug 6148 ***
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #7 from Mark Martinec <Ma...@ijs.si> 2009-09-18 07:39:45 PDT ---
Closing, fixed.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: setuid mkdir Insecure Dependency
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Warren Togami <wt...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P2
CC| |wtogami@redhat.com
Target Milestone|Undefined |3.3.0
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|Mark.Martinec@ijs.si |
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6206] spamd: Insecure Dependency in setuid mkdir
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6206
Mark Martinec <Ma...@ijs.si> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|DUPLICATE |
--- Comment #5 from Mark Martinec <Ma...@ijs.si> 2009-09-17 13:40:26 PDT ---
Then again, maybe not. Sorry to have jumped to conclusion.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.