You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by David Morton <mo...@dgrmm.net> on 2010/01/27 00:16:39 UTC

insecure dependency in sa-learn --import

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trying to import a bayes db, I get:

#sa-learn --import
bayes: perform_upgrade: Insecure dependency in open while running with
- -T switch at /usr/share/perl/5.8/File/Copy.pm line 133.

perl 5.8.8


- --
David Morton <mo...@dgrmm.net>

Morton Software & Design  http://www.dgrmm.net - Ruby on Rails
                                                 PHP Applications
Maia Mailguard http://www.maiamailguard.com    - Spam management
                                                 for mail servers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLX3fXUy30ODPkzl0RAnJWAKCor17pzSFt4JZ//tmy+j8oSdHVWgCZAeuU
nUUtYRYW3b8rfGrq3y3uBE0=
=mnie
-----END PGP SIGNATURE-----

Re: insecure dependency in sa-learn --import

Posted by David Morton <mo...@dgrmm.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Martinec wrote:
>> perl 5.8.8
> 
> --- lib/Mail/SpamAssassin/BayesStore/DBM.pm	(revision 903517)
> +++ lib/Mail/SpamAssassin/BayesStore/DBM.pm	(working copy)
> @@ -1438,6 +1438,9 @@
>      # bayes directory
>      my $main = $self->{bayes}->{main};
>      my $path = $main->sed_path($main->{conf}->{bayes_path});
> +
> +    # prevent dirname() from tainting the result, it assumes $1 is not tainted
> +    local($1,$2,$3);
>      my $dir = dirname($path);
>  
>      # make temporary copy since old dbm and new dbm may have same name



Thanks Mark, I can confirm that works for me.

- --
David Morton <mo...@dgrmm.net>

Morton Software & Design  http://www.dgrmm.net - Ruby on Rails
                                                 PHP Applications
Maia Mailguard http://www.maiamailguard.com    - Spam management
                                                 for mail servers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLX5nJUy30ODPkzl0RAqGkAKCxvhXf2/rYih9A3Tu+HUzIqLua3gCgk4YL
JhI6Axz97pfWEqkyVJfhk08=
=/9Uq
-----END PGP SIGNATURE-----

Re: insecure dependency in sa-learn --import

Posted by Mark Martinec <Ma...@ijs.si>.

David,

> Trying to import a bayes db, I get:
> 
> #sa-learn --import
> bayes: perform_upgrade: Insecure dependency in open while running with
> -T switch at /usr/share/perl/5.8/File/Copy.pm line 133.
> 
> perl 5.8.8

--- lib/Mail/SpamAssassin/BayesStore/DBM.pm	(revision 903517)
+++ lib/Mail/SpamAssassin/BayesStore/DBM.pm	(working copy)
@@ -1438,6 +1438,9 @@
     # bayes directory
     my $main = $self->{bayes}->{main};
     my $path = $main->sed_path($main->{conf}->{bayes_path});
+
+    # prevent dirname() from tainting the result, it assumes $1 is not tainted
+    local($1,$2,$3);
     my $dir = dirname($path);
 
     # make temporary copy since old dbm and new dbm may have same name



Mark

Re: insecure dependency in sa-learn --import

Posted by Warren Togami <wt...@redhat.com>.

On 01/26/2010 06:16 PM, David Morton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Trying to import a bayes db, I get:
>
> #sa-learn --import
> bayes: perform_upgrade: Insecure dependency in open while running with
> - -T switch at /usr/share/perl/5.8/File/Copy.pm line 133.
>
> perl 5.8.8

What distribution?

Warren