Taint error with Perl v5.10.1

Edward Prendergast edward.prendergast at netring.co.uk
Mon Dec 7 11:53:57 GMT 2009 

Hi,

I'm trying to bypass the Perl of the system (Centos 5.4) so I can use 
CPAN for up to date modules. I've got a copy of Perl in /opt/perl5, and 
the new Perl is added to the beginning of $PATH.

MailScanner itself starts fine but when it tries to pull in custom 
modules taint errors occur:

Dec  7 11:40:24 server8 MailScanner[24803]: MailScanner E-Mail Virus 
Scanner version 4.78.17 starting...
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm, it could 
not be "require"d. Make sure the last line is "1;" and t
he module is correct with perl -wc (Error: Insecure dependency in 
require while running with -T switch at 
/usr/lib/MailScanner/MailScanner/Config.pm line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, it 
could not be "require"d. Make sure the last line is "1;" an
d the module is correct with perl -wc (Error: Insecure dependency in 
require while running with -T switch at 
/usr/lib/MailScanner/MailScanner/Config.pm line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm, 
it could not be "require"d. Make sure the last line is "1
;" and the module is correct with perl -wc (Error: Insecure dependency 
in require while running with -T switch at 
/usr/lib/MailScanner/MailScanner/Config.pm line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm, 
it could not be "require"d. Make sure the last line i
s "1;" and the module is correct with perl -wc (Error: Insecure 
dependency in require while running with -T switch at 
/usr/lib/MailScanner/MailScanner/Config.pm line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, 
it could not be "require"d. Make sure the last line is "
1;" and the module is correct with perl -wc (Error: Insecure dependency 
in require while running with -T switch at 
/usr/lib/MailScanner/MailScanner/Config.pm line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/ZMRouterDirHash.pm, it 
could not be "require"d. Make sure the last line is "1;"
 and the module is correct with perl -wc (Error: Insecure dependency in 
require while running with -T switch at 
/usr/lib/MailScanner/MailScanner/Config.pm line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )
Dec  7 11:40:24 server8 MailScanner[24803]: Could not use Custom 
Function code 
/usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could 
not be "require"d. Make sure the last line is "1;" and the module is 
correct with perl -wc (Error: Insecure dependency in require while 
running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm 
line 754.
Dec  7 11:40:24 server8 MailScanner[24803]: )

When MailScanner drops privileges it goes down to the postfix user. In 
case this was related to file permissions I altered all the custom 
modules ownership to root:postfix but this made no difference. My best 
guess is a tainted @INC:

http://search.cpan.org/~dapm/perl-5.10.1/pod/perlsec.pod#Taint_mode_and_@INC

But I'm not sure if this is correct, and if it is, how to go about 
solving it?

Thanks,
Edward

************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any action taken or
omitted to be taken in reliance on it, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this E-mail message is strictly prohibited and may be
unlawful. If you have received this E-mail message in error, please notify
us immediately. Please also destroy and delete the message from your
computer.
************

More information about the MailScanner mailing list