You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris Welch <ch...@neumes.com> on 2010/04/18 21:33:20 UTC

Open of auto-whitelist file failed: Insecure dependency in eval...

I just upgraded a CentOS 5.4 system to Spamassassin 3.3.1.  The upgrade was
done by a CPAN install with Perl.

The previous version (3.2.5) had worked flawlessly for a couple of years.
However, the upgraded version reports an error in the spamd.log file:

Sun Apr 18 15:21:10 2010 [7966] warn: auto-whitelist: open of auto-whitelist
file failed: Insecure dependency in eval while running with -T switch at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Util.pm line 996.

I tried numerous permission changes but can't clear the error.

Spamassassin is launched using:

/usr/bin/spamd -u exim -s /var/log/spamd.log -i 0.0.0.0 -A
192.168.0.0/24,127.0.0.1 -d

Running perl v 5.8.8

It doesn't report any problems with the Bayes databases.  They are updated
without error.  The auto-whitelist DB is configured to be store at the same
location.

Spamassassin is running fine otherwise and properly flagging spam and non
spam messages.  The only problem appears to be that AWL is failed.

Any suggestions to resolve the problem would be appreciated.

Tx much!

Chris

RE: Open of auto-whitelist file failed: Insecure dependency in eval...

Posted by Chris Welch <ch...@neumes.com>.

Works like a charm!

Bug raised (6415).

Thanks very much sir!

Chris

-----Original Message-----
From: Mark Martinec [mailto:Mark.Martinec+sa@ijs.si] 
Sent: April 18, 2010 5:48 PM
To: users@spamassassin.apache.org
Subject: Re: Open of auto-whitelist file failed: Insecure dependency in
eval...

On Sunday April 18 2010 21:33:20 Chris Welch wrote:

> I just upgraded a CentOS 5.4 system to Spamassassin 3.3.1.  The upgrade
was
> done by a CPAN install with Perl.
> 
> The previous version (3.2.5) had worked flawlessly for a couple of years.
> However, the upgraded version reports an error in the spamd.log file:
> 
> Sun Apr 18 15:21:10 2010 [7966] warn: auto-whitelist:
>  open of auto-whitelist file failed:
>  Insecure dependency in eval while running with -T switch
>  at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Util.pm line 996.

Yes, a bug when you use a configuration directive auto_whitelist_db_modules.
Either avoid its use, or apply the patch below.

Please open a bug report, so that we can properly fold it into
the next version.


Index: lib/Mail/SpamAssassin/DBBasedAddrList.pm
===================================================================
--- lib/Mail/SpamAssassin/DBBasedAddrList.pm	(revision 935407)
+++ lib/Mail/SpamAssassin/DBBasedAddrList.pm	(working copy)
@@ -24,7 +24,7 @@
 use Fcntl;
 
 use Mail::SpamAssassin::PersistentAddrList;
-use Mail::SpamAssassin::Util;
+use Mail::SpamAssassin::Util qw(untaint_var);
 use Mail::SpamAssassin::Logger;
 
 our @ISA = qw(Mail::SpamAssassin::PersistentAddrList);
@@ -54,6 +54,7 @@
   };
 
   my @order = split (' ', $main->{conf}->{auto_whitelist_db_modules});
+  untaint_var(\@order);
   my $dbm_module = Mail::SpamAssassin::Util::first_available_module
(@order);
   if (!$dbm_module) {
     die "auto-whitelist: cannot find a usable DB package from
auto_whitelist_db_modules: " .



Mark

Re: Open of auto-whitelist file failed: Insecure dependency in eval...

Posted by Mark Martinec <Ma...@ijs.si>.

On Sunday April 18 2010 21:33:20 Chris Welch wrote:

> I just upgraded a CentOS 5.4 system to Spamassassin 3.3.1.  The upgrade was
> done by a CPAN install with Perl.
> 
> The previous version (3.2.5) had worked flawlessly for a couple of years.
> However, the upgraded version reports an error in the spamd.log file:
> 
> Sun Apr 18 15:21:10 2010 [7966] warn: auto-whitelist:
>  open of auto-whitelist file failed:
>  Insecure dependency in eval while running with -T switch
>  at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Util.pm line 996.

Yes, a bug when you use a configuration directive auto_whitelist_db_modules.
Either avoid its use, or apply the patch below.

Please open a bug report, so that we can properly fold it into
the next version.


Index: lib/Mail/SpamAssassin/DBBasedAddrList.pm
===================================================================
--- lib/Mail/SpamAssassin/DBBasedAddrList.pm	(revision 935407)
+++ lib/Mail/SpamAssassin/DBBasedAddrList.pm	(working copy)
@@ -24,7 +24,7 @@
 use Fcntl;
 
 use Mail::SpamAssassin::PersistentAddrList;
-use Mail::SpamAssassin::Util;
+use Mail::SpamAssassin::Util qw(untaint_var);
 use Mail::SpamAssassin::Logger;
 
 our @ISA = qw(Mail::SpamAssassin::PersistentAddrList);
@@ -54,6 +54,7 @@
   };
 
   my @order = split (' ', $main->{conf}->{auto_whitelist_db_modules});
+  untaint_var(\@order);
   my $dbm_module = Mail::SpamAssassin::Util::first_available_module (@order);
   if (!$dbm_module) {
     die "auto-whitelist: cannot find a usable DB package from auto_whitelist_db_modules: " .



Mark

Re: Open of auto-whitelist file failed: Insecure dependency in eval...

Posted by Kai Schaetzl <ma...@conactive.com>.

Chris Welch wrote on Sun, 18 Apr 2010 15:33:20 -0400:

> I just upgraded a CentOS 5.4 system to Spamassassin 3.3.1.  The upgrade was
> done by a CPAN install with Perl.

which you should not do. Unless there is *no* other chance a Perl or modules 
or Perl programs on an rpm-based system should be upgraded/installed with 
rpm.

I don't see this error on CentOS. But I'm not usign spamd, so it may be 
spamd-specific or because of the CPAN install.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com