Taint issues on 4.85.2-1

Jason Ede J.Ede at birchenallhowden.co.uk
Thu Apr 23 08:54:30 UTC 2015


Ok, looking through the MailScanner.pm file…

When in debug mode it’s complaining around line 1100 when it calls

$batch->Explode($Debug);

That triggers one line containing
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/vendor_perl/IO/File.pm line 185, <$fh> line 4.

For each message in the batch.


Also around line 1250 where it does
$batch->SignUninfected();
I get
 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/vendor_perl/IO/File.pm line 185.

for each message in the batch…

Hopefully that will help narrow it down a bit…

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jason Ede
Sent: 23 April 2015 09:13
To: MailScanner Discussion
Subject: RE: Taint issues on 4.85.2-1

Hi Jerry,

Did you get the IO::File.pm file? The version of it is 1.14

Will look at it a bit more from here…

It’s the same on my production box and that is ok on an older version of MailScanner.

Jason


From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jason Ede
Sent: 21 April 2015 09:17
To: MailScanner Discussion
Subject: RE: Taint issues on 4.85.2-1

Emailed you the file directly.

Jason

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 21 April 2015 09:06
To: MailScanner Discussion
Subject: Re: Taint issues on 4.85.2-1

Mmmmm … not going to do it. Can you send me /usr/lib64/perl5/IO/File.pm  ?

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On Apr 21, 2015, at 4:04 AM, Jason Ede <J.Ede at birchenallhowden.co.uk<mailto:J.Ede at birchenallhowden.co.uk>> wrote:

Hi Jerry,

Here is the top of the file

#

package IO::File;

=head1 NAME

IO::File - supply object methods for filehandles

=head1 SYNOPSIS

    use IO::File;

    $fh = new IO::File;
    if ($fh->open("< file")) {
        print <$fh>;
        $fh->close;
    }

    $fh = new IO::File "> file";
    if (defined $fh) {
        print $fh "bar\n";
        $fh->close;
    }

    $fh = new IO::File "file", "r";
    if (defined $fh) {
        print <$fh>;
        undef $fh;       # automatically closes the file
    }

    $fh = new IO::File "file", O_WRONLY|O_APPEND;
    if (defined $fh) {
        print $fh "corge\n";

        $pos = $fh->getpos;
        $fh->setpos($pos);

        undef $fh;       # automatically closes the file
    }

    autoflush STDOUT 1;

=head1 DESCRIPTION

From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 13 April 2015 15:26
To: MailScanner Discussion
Subject: Re: Taint issues on 4.85.2-1

I believe this is a perl-IO-File thing and not a MailScanner thing. Can you send the head of that file? First 20 lines or so.

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com/>



On Apr 9, 2015, at 4:22 AM, Jason Ede <J.Ede at birchenallhowden.co.uk<mailto:J.Ede at birchenallhowden.co.uk>> wrote:


Installed this version on my development environment on Centos 6.6 and then run debug and I get a load of taint errors

MailScanner --debug


In Debugging mode, not forking...
Trying to setlogsock(unix)
pyzor: check failed: internal error, python traceback seen in response
Building a message batch to scan...
Have a batch of 10 messages.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185, <$fh> line 4.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185.


Checked and /usr/sbin/MailScanner has the –U switch in it so it shouldn’t have this issue… Suggestions?

Jason


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150423/55446fb6/attachment-0001.html>


More information about the MailScanner mailing list