ports/57210: mail/razor-agents -- Latest version of SpamAssassin tickles taint mode bug

[Matthew Seaman]

>Number:         57210
>Category:       ports
>Synopsis:       mail/razor-agents -- Latest version of SpamAssassin tickles taint mode bug
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 25 06:40:20 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Matthew Seaman
>Release:        FreeBSD 4.9-PRERELEASE i386
>Organization:
Infracaninophile
>Environment:
System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #31: Thu Sep 25 11:19:11 BST 2003 root at happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386



>Description:

The recent update of the mail/p5-Mail-SpamAssassin port resulted in numerous
log file entries like the following:

Sep 25 14:18:44 happy-idiot-talk spamd[6385]: razor2 check skipped:  Insecure dependency in connect while running setuid at /usr/local/lib/perl5/5.8.0/mach/IO/Socket.pm line 114, <GEN78> line 64. 

This appears to be same as bug #2439 in the SpamAssassin bugzilla:

  http://bugzilla.spamassassin.org/show_bug.cgi?id=2439

Their analysis is that the latest Spamassassin is exposing some unsafe
taint-mode behaviour in the Razor2 code:

  http://article.gmane.org/gmane.mail.spam.spamassassin.general/29666

>How-To-Repeat:

Run SpamAssassin spamd/spamc programs with the Razor checks enabled.

>Fix:

The patches given in the gmane.org article are effective at curing the
problem.  I applied them directly to the installed Razor2 perl code,
so paths aren't correct for putting the below directly into ports.

--- razor.patch begins here ---
--- Client/Config.pm~	2002-11-25 19:13:59.000000000 +0100
+++ Client/Config.pm	2002-11-11 19:29:17.000000000 +0100
@@ -373,6 +373,7 @@
             next unless /=/;
             my ($attribute, $value) = split /\=/, $_, 2; 
             $attribute =~ s/^\s+//; $attribute =~ s/\s+$//;
+            $value = $1  if $value =~ /^(.*)$/;  # untaint!
             $conf->{$attribute} = $self->parse_value($value);
         }
         $total++;
--- Client/Core.pm~	2002-11-25 19:07:38.000000000 +0100
+++ Client/Core.pm	2002-11-25 18:55:35.000000000 +0100
@@ -216,8 +216,10 @@
         foreach $rr ($query->answer) { 
             my $pushed = 0;
             if ($rr->type eq "A") { 
-                push @list, $rr->address; 
-                $pushed = 1;
+                if ($rr->address =~ m/^(\d+\.\d+\.\d+\.\d+)$/) {
+                    push @list, $1; 
+                    $pushed = 1;
+                }
             } elsif ($rr->type eq "CNAME") { 
                 if ($rr->cname eq 'list.terminator') { 
                     pop @list if $pushed;
--- razor.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: