From m.seaman@infracaninophile.co.uk  Thu Sep 25 06:36:11 2003
Return-Path: <m.seaman@infracaninophile.co.uk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 69E0F16A4B3; Thu, 25 Sep 2003 06:36:11 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4251A43FF9; Thu, 25 Sep 2003 06:36:06 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1])
	by smtp.infracaninophile.co.uk (8.12.9p2/8.12.9) with ESMTP id h8PDZVWT006737
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 25 Sep 2003 14:36:01 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)
	by happy-idiot-talk.infracaninophile.co.uk (8.12.9p2/8.12.9/Submit) id h8PDZVuo006736;
	Thu, 25 Sep 2003 14:35:31 +0100 (BST)
	(envelope-from matthew)
Message-Id: <200309251335.h8PDZVuo006736@happy-idiot-talk.infracaninophile.co.uk>
Date: Thu, 25 Sep 2003 14:35:31 +0100 (BST)
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Reply-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc: leeym@freebsd.org, DougB@freebsd.org
Subject: mail/razor-agents -- Latest version of SpamAssassin tickles taint mode bug
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         57210
>Category:       ports
>Synopsis:       mail/razor-agents -- Latest version of SpamAssassin tickles taint mode bug
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    leeym
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 25 06:40:20 PDT 2003
>Closed-Date:    Thu Sep 25 18:48:24 PDT 2003
>Last-Modified:  Thu Sep 25 18:48:24 PDT 2003
>Originator:     Matthew Seaman
>Release:        FreeBSD 4.9-PRERELEASE i386
>Organization:
Infracaninophile
>Environment:
System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #31: Thu Sep 25 11:19:11 BST 2003 root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386



>Description:

The recent update of the mail/p5-Mail-SpamAssassin port resulted in numerous
log file entries like the following:

Sep 25 14:18:44 happy-idiot-talk spamd[6385]: razor2 check skipped:  Insecure dependency in connect while running setuid at /usr/local/lib/perl5/5.8.0/mach/IO/Socket.pm line 114, <GEN78> line 64. 

This appears to be same as bug #2439 in the SpamAssassin bugzilla:

  http://bugzilla.spamassassin.org/show_bug.cgi?id=2439

Their analysis is that the latest Spamassassin is exposing some unsafe
taint-mode behaviour in the Razor2 code:

  http://article.gmane.org/gmane.mail.spam.spamassassin.general/29666

>How-To-Repeat:

Run SpamAssassin spamd/spamc programs with the Razor checks enabled.

>Fix:

The patches given in the gmane.org article are effective at curing the
problem.  I applied them directly to the installed Razor2 perl code,
so paths aren't correct for putting the below directly into ports.

--- razor.patch begins here ---
--- Client/Config.pm~	2002-11-25 19:13:59.000000000 +0100
+++ Client/Config.pm	2002-11-11 19:29:17.000000000 +0100
@@ -373,6 +373,7 @@
             next unless /=/;
             my ($attribute, $value) = split /\=/, $_, 2; 
             $attribute =~ s/^\s+//; $attribute =~ s/\s+$//;
+            $value = $1  if $value =~ /^(.*)$/;  # untaint!
             $conf->{$attribute} = $self->parse_value($value);
         }
         $total++;
--- Client/Core.pm~	2002-11-25 19:07:38.000000000 +0100
+++ Client/Core.pm	2002-11-25 18:55:35.000000000 +0100
@@ -216,8 +216,10 @@
         foreach $rr ($query->answer) { 
             my $pushed = 0;
             if ($rr->type eq "A") { 
-                push @list, $rr->address; 
-                $pushed = 1;
+                if ($rr->address =~ m/^(\d+\.\d+\.\d+\.\d+)$/) {
+                    push @list, $1; 
+                    $pushed = 1;
+                }
             } elsif ($rr->type eq "CNAME") { 
                 if ($rr->cname eq 'list.terminator') { 
                     pop @list if $pushed;
--- razor.patch ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->leeym  
Responsible-Changed-By: krion 
Responsible-Changed-When: Thu Sep 25 12:37:56 PDT 2003 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57210 
State-Changed-From-To: open->closed 
State-Changed-By: leeym 
State-Changed-When: Thu Sep 25 18:48:23 PDT 2003 
State-Changed-Why:  
Committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57210 
>Unformatted:
