You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2020/01/07 10:01:00 UTC
[Bug 7782] New: Insecure dependency in connect while running with -T
switch at /usr/lib64/perl5/IO/Socket.pm line 114
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7782
Bug ID: 7782
Summary: Insecure dependency in connect while running with -T
switch at /usr/lib64/perl5/IO/Socket.pm line 114
Product: Spamassassin
Version: 3.4.3
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: h.reindl@thelounge.net
Target Milestone: Undefined
that's somehow a showstopper for upgrade to 3.4.3
how would someone abuse the hardcoded socket path from the config?
---------------------------------------
clamav.cf:
ifplugin Mail::SpamAssassin::Plugin::ClamAV
full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
priority CLAMAV_JNK 800
score CLAMAV_JNK 5.5
full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
priority CLAMAV_MLW 800
score CLAMAV_MLW 9.9
endif
---------------------------------------
clamav.pm:
package Mail::SpamAssassin::Plugin::ClamAV;
use strict;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use File::Scan::ClamAV;
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new
{
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless($self, $class);
$self->register_eval_rule('check_clamav');
return $self;
}
sub check_clamav
{
my($self, $pms, $fulltext, $socket) = @_;
dbg("ClamAV: File::Scan::ClamAV over %s", $socket);
my $clamav = new File::Scan::ClamAV(port => $socket);
my($code, $virus) = $clamav->streamscan(${$fulltext});
my $isspam = 0;
if(!$code)
{
my $errstr = $clamav->errstr();
dbg("ClamAV: $errstr");
}
elsif($code eq 'FOUND')
{
$isspam = 1;
$pms->test_log($virus);
dbg("ClamAV: $virus");
}
return $isspam;
}
1;
---------------------------------------
Jan 7 10:56:39 testserver spamd[1393]: spamd: server killed by SIGTERM,
shutting down
Jan 7 10:56:42 testserver spamd[128349]: util: setuid: ruid=189 euid=189
rgid=188 188 egid=188 188
Jan 7 10:56:42 testserver spamd[128343]: rules: failed to run CLAMAV_JNK test,
skipping:
Jan 7 10:56:42 testserver spamd[128343]: (Insecure dependency in connect while
running with -T switch at /usr/lib64/perl5/IO/Socket.pm line 114.
Jan 7 10:56:42 testserver spamd[128343]: )
Jan 7 10:56:42 testserver spamd[128343]: rules: failed to run CLAMAV_MLW test,
skipping:
Jan 7 10:56:42 testserver spamd[128343]: (Insecure dependency in connect while
running with -T switch at /usr/lib64/perl5/IO/Socket.pm line 114.
Jan 7 10:56:42 testserver spamd[128343]: )
Jan 7 10:56:42 testserver spamd[128350]: util: setuid: ruid=189 euid=189
rgid=188 188 egid=188 188
Jan 7 10:56:42 testserver spamd[128343]: spamd: server started on UNIX domain
socket /run/spamassassin/spamassassin.sock (running version 3.4.3)
Jan 7 10:56:42 testserver spamd[128343]: spamd: server pid: 128343
---------------------------------------
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7782] Insecure dependency in connect while running with -T
switch at /usr/lib64/perl5/IO/Socket.pm line 114
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7782
Reindl Harald <h....@thelounge.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |h.reindl@thelounge.net
--- Comment #2 from Reindl Harald <h....@thelounge.net> ---
well, that works, thx
[root@mail-gw:~]$ cat /etc/mail/spamassassin/clamav.pm
package Mail::SpamAssassin::Plugin::ClamAV;
use strict;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use File::Scan::ClamAV;
use Mail::SpamAssassin::Util qw(untaint_var);
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new
{
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless($self, $class);
$self->register_eval_rule('check_clamav');
return $self;
}
sub check_clamav
{
my($self, $pms, $fulltext, $socket) = @_;
$socket = untaint_var($socket);
my $clamav = new File::Scan::ClamAV(port => $socket);
my($code, $virus) = $clamav->streamscan(${$fulltext});
my $isspam = 0;
if(!$code)
{
my $errstr = $clamav->errstr();
dbg("ClamAV: $errstr");
}
elsif($code eq 'FOUND')
{
$isspam = 1;
$pms->test_log($virus);
dbg("ClamAV: $virus");
}
return $isspam;
}
1;
[root@mail-gw:~]$
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7782] Insecure dependency in connect while running with -T
switch at /usr/lib64/perl5/IO/Socket.pm line 114
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7782
Henrik Krohns <ap...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
CC| |apache@hege.li
Status|NEW |RESOLVED
--- Comment #1 from Henrik Krohns <ap...@hege.li> ---
Perl taint check does not have AI to decide whether someone can actually abuse
a string (wouldn't that be nice?). It's job is to simply complain if input used
in system functions is not validated.
use Mail::SpamAssassin::Util qw(untaint_var);
...
$socket = untaint_var($socket);
Of course additionally one should check if the socket even exists, what's the
point of passing garbage around to third party code. That's the validating
part.
Not SA maintained module so closing as invalid.
--
You are receiving this mail because:
You are the assignee for the bug.