compatibility issue with Archive::Zip::Member v1.30?

MailScanner ports at raveland.org
Thu Oct 14 08:57:38 IST 2010


On Wed, Oct 06, 2010 at 10:47:04AM +0100, Edward Prendergast wrote:
>  Hi,
> 
> I'm seeing MailScanner 4.81.4 return "MailScanner: Message attempted
> to kill MailScanner" every time it tries to process an .xlsx file
> (Microsoft Excel 2010's format). IIRC the format is a zip container
> with the actual Excel data inside it.
> 
> When I run MailScanner in debug mode and send one of these files
> through I get the error message:
> 
> Insecure dependency in chmod while running with -T switch at
> /opt/perl5/lib/site_perl/5.12.2/Archive/Zip/Member.pm line 490.
> 
> That line in Member.pm (v1.30) says:
> 
> chmod ($self->unixFileAttributes(), $name)
> 
> My guess is that $name is being passed down, hasn't been checked
> anywhere and so is causing a taint issue.
> 
> Should I just do a local rebuild of this module that does $name =~
> /.*/ to fix this issue for now and then submit it as a patch back to
> the vendor? Just modifying the code like this doesn't seem like a
> great long term solution though as it could be a security risk?
> 
> Thanks,
> Edward

Hi,

I saw this bug too. All the .docx attachments crash MailScanner.
Someone opened a bug here: http://rt.cpan.org/Public/Bug/Display.html?id=61930

To avoid the crash, i found this workaround: set Maximum Archive Depth to 0.
Like this, the .docx files are no longer scanned.

Regards,


More information about the MailScanner mailing list