Warning: recent vendor perl patch may harm MailScanner

Kai Schaetzl maillists at CONACTIVE.COM
Wed Dec 21 21:19:45 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

SuSE has issued a perl patch on Dec. 19 for all its supported platforms 
which may cause you problems with MailScanner, be careful! It's the fix
SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962
Other vendors will probably push this important patch as well.

Problems may only occur if you used CPAN to install some modules required 
by MailScanner.

But I'm not convinced that it only affects those. Reason: That patch seems 
to either overwrite MIME::Base64 with the version current when the OS 
version was released (in this case 2.20) or write this information to some 
housekeeping file belonging to Perl. This clash could occur with 
rpm-installed MIME::Base64 as well.

Symptoms: MailScanner dies with
MIME::Base64 object version 2.20 does not match bootstrap parameter 3.05 
at /usr/lib/perl5/5.8.1/i586-linux-thread-multi/DynaLoader.pm line 249. 
Compilation failed in require at /usr/sbin/MailScanner line 55. 
BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 59.

You get the same error when opening the CPAN shell and just doing 
"i MIME::Base64" (LWP failed with code[500] message[MIME::Base64 object 
version 2.20 does not match bootstrap parameter 3.05]). It also says 
"strange package name" or so. I tried upgrading (via CPAN) to version 3.07 
(current) of MIME::Base64 and when this didn't help installing all perl 
rpms coming with the MailScanner tar.gz. Nothing helped, even worse this 
made MailScanner grab memory ad infinitum. And Spamassassin make test as 
well. Only the abovementioned trick helped. Perl says now that the version 
of MIME::Base64 installed is 2.20 on the machine with a working (!) 
MailScanner and 3.0.5 on a machine where MailScanner doesn't work and 
where I did nothing to fix the problem.

Going back to the last Perl patch version is obviously not recommended 
since the fixed problem is a serious one. This problem may indeed only 
occur under circumstances, but better beware!

Julian, any thoughts on the nature of the problem and how to solve it and 
keep the patch?





Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list