Problems MailScanner 4.78.17
ThB
lists at buschor.ch
Wed Nov 25 16:57:18 GMT 2009
Hello,
There's another small taint problem in Message.pm.
It occured when scanning an eicar test virus.
MailScanner's debugging output:
In Debugging mode, not forking...
Trying to setlogsock(native)
INFO:: Meaningless output that goes nowhere, to keep SAVI happy
Building a message batch to scan...
Have a batch of 1 message.
Insecure dependency in eval while running with -T switch at
/opt/MailScanner/lib/MailScanner/Message.pm line 4372, <GEN65> line 1.
-> at this point the MailScanner gets killed
Code Snippet Message.pm
4369 $line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any
regex characters
4370 # Untainting joy...
4371 $line =~ $1 if $line =~ /(.*)/;
4372 $result = eval "\"$line\"";
After checking & trying to understand the code, I think the problem is
line 4371 which should be:
4371 $line = $1 if $line =~ /(.*)/;
(note the "=" instead of "=~")
After this modification my MailScanner 4.79.3-1 is perfectly running.
regards
Thomas
More information about the MailScanner
mailing list