Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#36509 - [postgrey] - unsafe removal of Perl Taint mode in 1.34-16
Attached to Project:
Community Packages
Opened by Jacob Joseph (jacobjjoseph.org) - Monday, 12 August 2013, 19:17 GMT
Last edited by Sergej Pupykin (sergej) - Wednesday, 14 August 2013, 08:41 GMT
Opened by Jacob Joseph (jacobjjoseph.org) - Monday, 12 August 2013, 19:17 GMT
Last edited by Sergej Pupykin (sergej) - Wednesday, 14 August 2013, 08:41 GMT
|
DetailsHi. I notice that the commit for postgrey 1.34-16 patches out "-T", thereby disabling the Taint checking intended by the author. I'm very wary of the security implications of this change, especially for something that deals with mail input.
That said, I do see that postgrey fails due so a violation related to IO::Socket. A closely related bug occurred in FreeBSD, and appeared to be the result of Perl modules that were out of sync. Here are a few links: http://www.perlmonks.org/?node_id=1025751 http://freebsd.1045724.n5.nabble.com/Re-ports-177416-mail-postgrey-has-surfaced-a-bug-in-perl-s-taint-checking-td5799553.html Jacob |
This task depends upon
Closed by Sergej Pupykin (sergej)
Wednesday, 14 August 2013, 08:41 GMT
Reason for closing: Fixed
Additional comments about closing: patch applied, thank you
Wednesday, 14 August 2013, 08:41 GMT
Reason for closing: Fixed
Additional comments about closing: patch applied, thank you
- disable daemonization
- removing -T
( https://mailman.archlinux.org/pipermail/arch-general/2013-June/033631.html )
I got to debugging this issue more. Tracing reveals that the pid_file variable is tainted and at fault. Indeed, not specifying --pidfile on the command line causes all to work fine.
--------
perl -t -w -d:Trace /usr/bin/postgrey --inet=127.0.0.1:10030 -v --pidfile=/run/postgrey/postgrey2.pid --group=postgrey --user=postgrey --daemonize
in syslog:
Aug 13 14:13:44 aws postgrey[5810]: WARNING: Insecure dependency in unlink while running with -t switch at /usr/share/perl5/vendor_perl/Net/Server.pm line 757.
Aug 13 14:13:44 aws postgrey[5810]: WARNING: Insecure dependency in unlink while running with -t switch at /usr/share/perl5/vendor_perl/Net/Server.pm line 757.
Server.pm lines 753 - 758:
if (defined($prop->{'pid_file'})
&& -e $prop->{'pid_file'}
&& !$prop->{'_HUP'}
&& defined($prop->{'pid_file_unlink'})) {
unlink($prop->{'pid_file'}) || $self->log(1, "Couldn't unlink \"$prop->{'pid_file'}\" [$!]");
}
-------
It then becomes obvious pidfile should be handled identically to dbdir in postgrey. That is:
postgrey lines 555-558:
# untaint what is given on --dbdir. It is not security sensitive since
# it is provided by the admin
if($opt{dbdir}) {
$opt{dbdir} =~ /^(.*)$/; $opt{dbdir} = $1;
}
This led me to find that the issue has already been reported upstream: https://github.com/schweikert/postgrey/issues/3
The fix is:
--- postgrey.orig 2010-05-04 20:51:52.000000000 +0000
+++ postgrey
@@ -552,6 +552,10 @@ sub main()
if($opt{dbdir}) {
$opt{dbdir} =~ /^(.*)$/; $opt{dbdir} = $1;
}
+ # untaint pidfile
+ if($opt{pidfile}) {
+ $opt{pidfile} =~ /^(.*)$/; $opt{pidfile} = $1;
+ }
# determine proper "logsock" for Sys::Syslog
my $syslog_logsock;
Thanks.
~Jacob