Taint problems

Rick Cooper rcooper at dwford.com
Thu Apr 21 19:25:53 IST 2011

Stuart Henderson wrote:
> On 2011-04-20, Glenn Steen <glenn.steen at gmail.com> wrote:
>> So... What updates did you do? Do you install perl via yum and the
>> MailScanner modules via Jules packaging? That is, expecially on such
>> a volatile distro as Fedora, a recipe for failure... as you've
>> noticed. 
> This is almost certainly fallout from CVE-2011-1487 fixes.
> "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl
> 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11,
> do not apply the taint attribute to the return value upon processing
> tainted input, which might allow context-dependent attackers to bypass
> the taint protection mechanism via a crafted string."

I agree, I do not see where the value of $fh is untainted at any point. The
OP could try 

$fh =~ m/(.*)/;
$fh = $1;

Above the offending line and see if that resolves it. Of course that is not
a proper way to untaint the variable but I do not know off the top of my
head what constraints mailscanner really places on the lock file name. It
looks to
Me that the mode should not be tainted so it must be the name, This might be
something Julian wants to revisit with so many people using perl 5.10+

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list