Mailing List Archive: SpamAssassin: devel

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe

Index | Next | Previous | View Threaded

bugzilla-daemon at bugzilla

Jun 29, 2009, 4:23 AM

Post #1 of 10 (369 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #27 from Justin Mason <jm[at]jmason.org> 2009-06-29 04:23:43 PST ---
can anyone test this? I've asked the users@ list to test, and if it's ok I'll
apply it.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jun 29, 2009, 4:24 AM

Post #2 of 10 (352 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

Justin Mason <jm[at]jmason.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|P1 |P3

--- Comment #28 from Justin Mason <jm[at]jmason.org> 2009-06-29 04:24:29 PST ---
lowering pri without testers

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jun 29, 2009, 8:40 AM

Post #3 of 10 (351 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

Kevin Golding <caomhin[at]gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |caomhin[at]gmail.com

--- Comment #29 from Kevin Golding <caomhin[at]gmail.com> 2009-06-29 08:40:38 PST ---
Jun 29 15:35:03 offa spamd[63128]: Use of uninitialized value in concatenation
(.) or string at /usr/local/bin/spamd line 2113, <GEN164> line 2.
Jun 29 15:35:03 offa spamd[63128]: Use of uninitialized value in concatenation
(.) or string at /usr/local/bin/spamd line 2125, <GEN164> line 2.
Jun 29 15:35:03 offa spamd[63128]: Use of uninitialized value in pattern match
(m//) at /usr/local/bin/spamd line 2166, <GEN164> line 2.

Doesn't seem to fix it for me.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jun 29, 2009, 9:51 AM

Post #4 of 10 (352 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #30 from Sossi Andrej <asossi[at]dotcom.ts.it> 2009-06-29 09:50:59 PST ---
(In reply to comment #29)
> Jun 29 15:35:03 offa spamd[63128]: Use of uninitialized value in concatenation
> (.) or string at /usr/local/bin/spamd line 2113, <GEN164> line 2.
> Jun 29 15:35:03 offa spamd[63128]: Use of uninitialized value in concatenation
> (.) or string at /usr/local/bin/spamd line 2125, <GEN164> line 2.
> Jun 29 15:35:03 offa spamd[63128]: Use of uninitialized value in pattern match
> (m//) at /usr/local/bin/spamd line 2166, <GEN164> line 2.
>
> Doesn't seem to fix it for me.

What patch did you tested? The line 2113 is a comment if applies patch to
version 3.2.5 of Spamassassin.
Tomorrow I send the complete list of tests that I run with the most
combinations of aliases that I used.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jun 29, 2009, 10:01 AM

Post #5 of 10 (352 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #31 from Kevin Golding <caomhin[at]gmail.com> 2009-06-29 10:01:02 PST ---
Patch 4432 against SA 3.2.5 - admittedly one installed through FreeBSD Ports
but the only patch that applies to spamd is
http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/p5-Mail-SpamAssassin/files/patch-spamd_spamd.raw?rev=1.3

Line 2113 for me reads:

$dir = `$vpopdir/bin/vuserinfo -d \Q$username\E`;

2125:

$vpopalias = `$vpopdir/bin/valias \Q$username\E`;

And 2166:

if ($#todo == -1 && $work !~
/[a-z0-9_-]+(\.[a-z0-9_-]+)*@[a-z0-9_-]{2,}(\.[a-z0-9_-]+)*\.[a-z]{2,4}/) {

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jun 29, 2009, 11:06 AM

Post #6 of 10 (349 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #32 from Sossi Andrej <asossi[at]dotcom.ts.it> 2009-06-29 11:06:01 PST ---
Weird. I also use SpamAssassin from ports of Freebsd. I did the installation on
February 3 but I do not see major differences in the port so far.
My configuration was:
web # make showconfig
===> The following configuration options are available for
p5-Mail-SpamAssassin-3.2.5_1:
AS_ROOT = on "Run spamd as root (recommended)"
Spamc = on "Build spamd / spamc (not for amavisd)
SACOMPILE = on "sa-compile"
DKIM = on "DKIM / DomainKeys Identified Mail"
SSL = off "Build with SSL support for spamd / spamc"
GNUPG = on "Install GnuPG (for sa-update)"
MYSQL = off "Add MySQL support"
Pgsql = off "Add PostreSQL support"
RAZOR = on "Add Vipul's Razor support"
SPF_QUERY = on "Add SPF query support"
RELAY_COUNTRY = on "Relay country support"
===> Use 'make config' to modify these settings

The patch works fine by February without errors or warnings in the logs.

I try to investigate tomorrow.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jul 6, 2009, 2:28 AM

Post #7 of 10 (290 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #33 from Sossi Andrej <asossi[at]dotcom.ts.it> 2009-07-06 02:28:29 PST ---
I'm sorry for the delay, but I had lots of work to do and I didn't have the
chance to answer before.
While checking the source code, the pointed out error is generated when the
username isn't set.
It never happened to me that the username (e-mail address) hasn't been set
before entering in my patch. It's strange. I modified the patch to avoid the
error. If the username doesn't improve the function the user_prefers can't
be applied.
Thank you very much for the tests.

Best regards.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jul 6, 2009, 2:31 AM

Post #8 of 10 (289 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

Sossi Andrej <asossi[at]dotcom.ts.it> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #4432|0 |1
is obsolete| |

--- Comment #34 from Sossi Andrej <asossi[at]dotcom.ts.it> 2009-07-06 02:31:01 PST ---
Created an attachment (id=4471)
--> (https://issues.apache.org/SpamAssassin/attachment.cgi?id=4471)
Corrected patch

Avoid warning message if username is not set.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jul 6, 2009, 5:55 AM

Post #9 of 10 (290 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #35 from Kevin Golding <caomhin[at]gmail.com> 2009-07-06 05:55:40 PST ---
I can't recreate the errors this time, looks good to me.

+1 for inclusion

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

bugzilla-daemon at bugzilla

Jul 6, 2009, 6:30 AM

Post #10 of 10 (289 views)
Permalink

[Bug 2536] vpopmail/qmail code neither warning- nor 100% taint-safe [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536

--- Comment #36 from Justin Mason <jm[at]jmason.org> 2009-07-06 06:30:09 PST ---
great! I'll apply this later. thanks for testing it

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com