You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Marc MERLIN <ma...@merlins.org> on 2004/11/30 04:37:08 UTC

Insecure dependency in SA plugin

So, I'm not new to perl or taint mode, but I've been stumbling on this
problem all weekend without finding a fix

$envfrom=some tainted source, i.e. $permsgstatus->get($option{'envfromhdr'})
# clean variables to run properly under -T
#$envfrom =~ /(.+)/; # this didn't work, so maybe my perl is more picky and
                     # won't untain on .+ anymore?
$envfrom =~ m'([-!#%( )*+,.0123456789:<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]^_abcdefghijklmnopqrstuvwxyz{|}~]+)';
$envfrom = $1 or "";
warn "GREYLIST envfrom: $envfrom\n";
mkdir "/tmp/$envfrom";

The problem is that even the above code still gives me insecure depency errors.
Nov 29 19:06:45 magic spamd[9297]: GREYLIST entered
Nov 29 19:06:45 magic spamd[9297]: GREYLIST running
Nov 29 19:06:45 magic spamd[9297]: GREYLIST envfrom: svlug-bounces+svlug-local=merlins.org@lists.svlug.org
Nov 29 19:06:46 magic spamd[9297]: result: . -2 - BAYES_00,GREYLIST_ISWHITE,NOREVDNS scantime=8.0,size=3199,mid=<41...@i2telecom.com>,bayes=1.11022302462516e-16,autolearn=ham
Nov 29 19:08:35 magic spamd[21955]: GREYLIST entered
Nov 29 19:08:35 magic spamd[21955]: GREYLIST running
Nov 29 19:08:35 magic spamd[21955]: GREYLIST envfrom: exim-users-bounces+exim-users-local=merlins.org@exim.org
Nov 29 19:08:35 magic spamd[21955]: Failed to run GREYLIST_ISWHITE SpamAssassin test, skipping:__(Insecure dependency in mkdir while running with -T switch at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 162._)

But, here's the kicker: only sometimes (see above). 
I've added the warn to see if that was related to the Email, but I haven't
found any pattern yet.

I'm starting to suspect my perl, because
1) a pattern being tainted sometimes but not always isn't right
2) the perlsec man page still says that even $envfrom =~ /(.+)/;
   $envfrom = ($1 or "");
   should untaint the variable.
3) this happens one time in ten more or less
4) it doesn't even seem to depend on the type of data in the variable
   (see the above, two similar VERP addresses, one went through and one didn't)

I'm running the latest debian perl: 5.8.4-4

Am I missing some SA trick, or should I take this with the perl folks?

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key

Re: Insecure dependency in SA plugin (razor2 too)

Posted by Marc MERLIN <ma...@merlins.org>.

On Mon, Nov 29, 2004 at 07:37:08PM -0800, Marc MERLIN wrote:
> Nov 29 19:08:35 magic spamd[21955]: GREYLIST envfrom: exim-users-bounces+exim-users-local=merlins.org@exim.org
> Nov 29 19:08:35 magic spamd[21955]: Failed to run GREYLIST_ISWHITE SpamAssassin test, skipping:__(Insecure dependency in mkdir while running with -T switch at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 162._)

I should also mention that I get the same problem with razor2:
spamd[5033]: razor2 check skipped:  Insecure dependency in open while running with -T switch at /usr/share/perl5/Razor2/Logger.pm line 30. 
 
First, I thought it might have been a bug in SA 3.0.1-1(deb), but it just
occured to me that the razor code may be hitting the same problem than my
plugin (and I found no mentions of it bugzilla)

So, is my perl bad, or what's happening?

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key

Re: Insecure dependency in SA plugin

Posted by Marc MERLIN <ma...@merlins.org>.

On Tue, Nov 30, 2004 at 05:01:06PM -0800, Justin Mason wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Marc -- I've run into this a couple of times.  seems to be a perl
> issue.  the fix is to create a *new* variable name -- not reuse
> the same "$envfrom" variable.  you can do:
> 
>     my $newenvfrom = $1; $envfrom = undef; $envfrom = $newenvfrom;
> 
> if you like.

So, after a few days of testing, I can confirm that it works, thanks for the
trick.

I've put a comment that this is at least a perl 5.8.4 bug

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key