Warning: recent vendor perl patch may harm MailScanner

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Thu Dec 22 14:23:31 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Kai Schaetzl wrote:

>SuSE has issued a perl patch on Dec. 19 for all its supported platforms 
>which may cause you problems with MailScanner, be careful! It's the fix
>SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962
>Other vendors will probably push this important patch as well.
>Problems may only occur if you used CPAN to install some modules required 
>by MailScanner.
>But I'm not convinced that it only affects those. Reason: That patch seems 
>to either overwrite MIME::Base64 with the version current when the OS 
>version was released (in this case 2.20) or write this information to some 
>housekeeping file belonging to Perl. This clash could occur with 
>rpm-installed MIME::Base64 as well.
>Symptoms: MailScanner dies with
>MIME::Base64 object version 2.20 does not match bootstrap parameter 3.05 
>at /usr/lib/perl5/5.8.1/i586-linux-thread-multi/DynaLoader.pm line 249. 
>Compilation failed in require at /usr/sbin/MailScanner line 55. 
>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 59.
>You get the same error when opening the CPAN shell and just doing 
>"i MIME::Base64" (LWP failed with code[500] message[MIME::Base64 object 
>version 2.20 does not match bootstrap parameter 3.05]). It also says 
>"strange package name" or so. I tried upgrading (via CPAN) to version 3.07 
>(current) of MIME::Base64 and when this didn't help installing all perl 
>rpms coming with the MailScanner tar.gz. Nothing helped, even worse this 
>made MailScanner grab memory ad infinitum. And Spamassassin make test as 
>well. Only the abovementioned trick helped. Perl says now that the version 
>of MIME::Base64 installed is 2.20 on the machine with a working (!) 
>MailScanner and 3.0.5 on a machine where MailScanner doesn't work and 
>where I did nothing to fix the problem.
>Going back to the last Perl patch version is obviously not recommended 
>since the fixed problem is a serious one. This problem may indeed only 
>occur under circumstances, but better beware!
>Julian, any thoughts on the nature of the problem and how to solve it and 
>keep the patch?
Upgraded Perl on RHEL 3 and 4 servers yesterday running MS 4.47.4 and 
4.46.2 without any problem.  All is fine.  No error messages either.  
All Perl modules bundled with MS were installed by MS (not CPAN).  
MailScanner -v says:
3.05    MIME::Base64

I guess Red Hat did it better than SuSE...

Happy holidays to everybody!  I hope everyone will be able to forget 
about the mail servers for at least a couple of days...  that includes 
you, Julian... you deserve it!!!


  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list