You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2008/12/31 17:55:46 UTC

[Bug 5932] audit SA for use of File::Path::rmtree() due to security bug

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5932


Justin Mason <jm...@jmason.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #1 from Justin Mason <jm...@jmason.org>  2008-12-31 08:55:46 PST ---
checked in on trunk:

: 33...; svn commit -m "bug 5932: replace trivial File::Path::rmtree usage with
simple 'rm -rf' command lines to avoid File::Path security bug (CPAN bug#
36982).  we still have other usage of rmtree(), but it's all in the test suite
rather than runtime code"
Sending        sa-compile.raw
Sending        spamd-apache2/lib/Mail/SpamAssassin/Spamd/Apache2/Config.pm
Transmitting file data ..
Committed revision 730414 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=730414 ).

here's the diff:

: 31...; svn diff
Index: spamd-apache2/lib/Mail/SpamAssassin/Spamd/Apache2/Config.pm
===================================================================
--- spamd-apache2/lib/Mail/SpamAssassin/Spamd/Apache2/Config.pm (revision
730413 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=730413 ))
+++ spamd-apache2/lib/Mail/SpamAssassin/Spamd/Apache2/Config.pm (working copy)
@@ -450,7 +450,7 @@
       $ENV{HOME} = $tmphome;
       $sa->compile_now(0, 1);
       delete $ENV{HOME};
-      File::Path::rmtree($tmphome);
+      system("rm -rf '$tmphome'");
       $Mail::SpamAssassin::Spamd::Apache2::spamtest = $sa;
       Mail::SpamAssassin::Spamd::backup_config($sa);
     }
Index: sa-compile.raw
===================================================================
--- sa-compile.raw      (revision 730413 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=730413 ))
+++ sa-compile.raw      (working copy)
@@ -376,13 +376,14 @@

   our $PATH = $modname;
   $PATH =~ s/::/-/g;
+  $PATH =~ s/[^-_A-Za-z0-9\.]/_/g;
   our $PMFILE = $modname;
   $PMFILE =~ s/.*:://;
   $PMFILE .= ".pm";
   our $XSFILE = $PMFILE;
   $XSFILE =~ s/\.pm$/.xs/;

-  $force and rmtree $PATH;
+  $force and system("rm -rf $PATH");
   mkdir $PATH or (!$force and die "mkdir($PATH): $!");
   chdir $PATH;
   if (!$quiet) { print "cd $PATH\n" or die "error writing: $!" }


Neither of these were exploitable AFAICT, so no need to backport.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.